New Attack Fells Internet Explorer

← Back to Stories (view on slashdot.org)

New Attack Fells Internet Explorer

Posted by Soulskill on Sunday November 22, 2009 @03:33AM from the tricking-an-old-dog dept.

alphadogg writes "Attack code has been identified that could be used to break into a PC running older versions of Microsoft's Internet Explorer browser. The code was posted Friday to the Bugtraq mailing list by an unidentified hacker. According to security vendor Symantec, the code does not always work properly, but it could be used to install unauthorized software on a victim's computer."

202 comments

Virus warning by dennis_k85 · 2009-11-22 03:36 · Score: 0, Interesting

As soon as I go to the bug trak web site , my anti virus scanner goes off like crazy.

--
cd pub
more beer
1. Re:Virus warning by clang_jangle · 2009-11-22 03:52 · Score: 3, Insightful
  
  As soon as I go to the bug trak web site , my snake oil scamware goes off like crazy.
  FTFY.
  
  --
  Caveat Utilitor
2. Re:Virus warning by Anonymous Coward · 2009-11-22 04:15 · Score: 0
  
  Avast AV is detecting the page for me too. It seems more likely that it is detecting there being pieces of viral code on the page rather than the it actually being infected with a virus due to the nature of the site, however.
3. Re:Virus warning by Anonymous Coward · 2009-11-22 04:16 · Score: 0
  
  That should tell you something about your virus scanner...
4. Re:Virus warning by Anonymous Coward · 2009-11-22 04:41 · Score: 2, Informative
  
  It should tell him that his scanner spots that malicious code, like most AVs: http://www.virustotal.com/analisis/74af02248eb35da5a0e615538f73ecd37e186aef5234da237908ba48290c2aa5-1258907794
5. Re:Virus warning by dennis_k85 · 2009-11-22 04:43 · Score: 0
  
  I'm using avast AV too. It just says there is malware on the page. Wierd.
  
  --
  cd pub
  more beer
6. Re:Virus warning by someone1234 · 2009-11-22 11:18 · Score: 2, Informative
  
  Yes, it detects the code on display, not an actual exploit.
  It is crappy AV software.
  
  --
  Patents Drive Free Software as Hurricanes Drive Construction Industry
Is that supposed to be news?? by rpp3po · 2009-11-22 03:38 · Score: 4, Insightful

Yes, old, unpatched browser versions can be exploited. Is this a joke?
1. Re:Is that supposed to be news?? by UnknowingFool · 2009-11-22 03:53 · Score: 4, Insightful
  
  old != unpatched.
  The article says IE 6 and IE7. It does not say unpatched. For many people these are their current browsers as they have not upgraded to IE 8. For business users, their companies may still insist they use older browsers until they are able to migrate certain software to the new version.
  
  --
  Well, there's spam egg sausage and spam, that's not got much spam in it.
2. Re:Is that supposed to be news?? by thetoadwarrior · 2009-11-22 03:53 · Score: 2, Insightful
  
  It mentioned versions 6 & 7. Considering how long people hold onto their verison of IE, it will be ages until IE7 disappears. Also, MS does have some contracts with companies that means they're stuck on Win 2k for now which means nothing greater than IE6. Granted these companies could use FF but understandably they're paying for support from MS and want to use a browser they will support.
  
  If MS is going to be taking money for something like this then they should still be supporting IE6 and patching up its holes.
3. Re:Is that supposed to be news?? by DarkOx · 2009-11-22 04:04 · Score: 3, Insightful
  
  Considering how long people hold onto their version of IE, it will be ages until IE7 disappears.
  
  I really don't think you are right about that. There will always be those home users on dialup that don't run automatic updates ever but they are not very useful in a bot net anyway. Most people will get update to IE8 weather they mean to do it or not. IE 6 lives in the corporate space because it was around long enough for its own software ecosystem to develop in and on it. IE7 was around for like a year before 8 was released as beta and 8 does not break much compatibility with 7 its much less significant than 6 -> 7.
  I doubt there is much code out there target at 7 that does not work on 8. The projects that do would have to have been pretty small and would have been designed and completed in a pretty narrow time window between 7's release and the pretty clear public information on what was coming in 8.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
4. Re:Is that supposed to be news?? by caluml · 2009-11-22 04:47 · Score: 4, Insightful
  
  I work for a very large bank, and IE 6 is the corporate standard. The banking platform is only designed to work with IE6. Some of the internal admin tools don't work with IE8.
  
  --
  Get your own free personal location tracker
5. Re:Is that supposed to be news?? by commodore64_love · 2009-11-22 04:49 · Score: 0, Flamebait
  
  I just upgraded from 6 to 7 around two months ago.
  I guess it's time to hop to 8. I'm tired of constantly upgradng everything. I drive an old car built in 1997, and I don't understand why I can't keep running the same browser at least a few years. Yeah I know - constant updating keeps programmers employed.
  
  --
  "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
6. Re:Is that supposed to be news?? by PitaBred · 2009-11-22 04:55 · Score: 0, Flamebait
  
  Yeah. A Model-T should be enough for anyone. These new "fuel injectors" instead of carburetors... just because they're more efficient and work more reliably doesn't mean we actually need those! Why would I want to update my technology to get new features? Gopher was enough for a long time! Why change?
  
  /me gets off your lawn
  
  --
  My blog. Good stuff (when I remember to update it). Read it.
7. Re:Is that supposed to be news?? by Zero__Kelvin · 2009-11-22 05:07 · Score: 1
  
  "Most people will get update to IE8 weather they mean to do it or not."
  You don't need a weather man to know which way the Windows blows ...
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
8. Re:Is that supposed to be news?? by Anonymous Coward · 2009-11-22 05:07 · Score: 1, Funny
  
  Are you the type that enjoys hitting yourself in the head with a hammer because it feels so good when you stop?
  Installing and upgrading Firefox is simple and painless.
9. Re:Is that supposed to be news?? by lord_rob+the+only+on · 2009-11-22 05:23 · Score: 4, Interesting
  
  Using SAP by any chance ?
  In my former company, they use SAP and it's absolutely an IE only application for its web interface. It doesn't work *at all* with Firefox. At least that was the case when I was working there (We were using SAP ECC6)
10. Re:Is that supposed to be news?? by rliden · 2009-11-22 05:24 · Score: 1
  
  Here is the lemma to your myopic car analogy: Replace the brakes, belts, and other wearables. Service your engine and transmission at required intervals. When a warranty recall for a defective part is issued bring the vehicle to dealer to have it replaced. If you don't do these things and service your vehicle, it will break down and leave you vulnerable to the consequences. Yeah I know - maintaining your vehicle keeps mechanics employed.
  
  --
  Don't think of it as a flame, more like an argument that does 3d6 fire damage.
11. Re:Is that supposed to be news?? by cenc · 2009-11-22 05:27 · Score: 0
  
  You know i keep hearing people say that companies have to keep these browsers because of some software that they can not upgrade, as an excuse for the continued use of 6 and 7. What frigen company has managed to hang on to totally shit piece of web software that depends on windows 6 or 7 to function?
  Who ever they are, they have bigger IT problems than this exploit will ever generate.
  
  --
  Living in Chile
12. Re:Is that supposed to be news?? by Anonymous Coward · 2009-11-22 05:45 · Score: 1, Interesting
  
  There are niche areas of IT, which you've obviously not worked in, where some vendors have a web interface driven piece of equipment and they are VERY slow to update said interface to work with current browsers. Unless things have change in the last 6 months or so, IE7 support was just coming out for that equipment. So you can see how long it will be before 8 is supported. I will not name that niche or the company that supplies equipment to it, but suffice to say that every cities has at least a couple of these places...
13. Re:Is that supposed to be news?? by Anonymous Coward · 2009-11-22 06:04 · Score: 1, Informative
  
  The US Air Force only released IE7 to its non-classified desktops earlier this year. Widespread Vista deployment has been pushed from early 2008 to mid-2010 (and that's just the current "best-case" estimate, I expect more delays). IE is necessary for logging into many, many DoD websites using the Common Access Card.
14. Re:Is that supposed to be news?? by mister_playboy · 2009-11-22 06:06 · Score: 1
  
  Liar.
  
  --
  Do what thou wilt shall be the whole of the Law ::: Love is the law, love under will
15. Re:Is that supposed to be news?? by commodore64_love · 2009-11-22 06:15 · Score: 1, Informative
  
  I said a *few* years..... as in more than one. Not 90.
  
  --
  "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
16. Re:Is that supposed to be news?? by commodore64_love · 2009-11-22 06:18 · Score: 1, Offtopic
  
  Maintenance?
  What's that? J/K. That maintenance I can deal with but the annual inspections just so garages can look for something to repair really piss me off. I miss my old state that had no inspections (at point-of-sale and that was it).
  
  --
  "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
17. Re:Is that supposed to be news?? by MillionthMonkey · 2009-11-22 06:18 · Score: 3, Interesting
  
  I'm tired of constantly upgradng everything. I drive an old car built in 1997, and I don't understand why I can't keep running the same browser at least a few years. Yeah I know - constant updating keeps programmers employed.
  
  Drat, improving technology keeps programmers employed.
  Double drat- your reluctance to update combined with a propensity to complain keeps additional people employed just to make sure things continue to look pretty on your screen.
18. Re:Is that supposed to be news?? by Sir_Lewk · 2009-11-22 06:22 · Score: 2, Insightful
  
  With an atitude like that, you are a nuisance to everyone else on the road.
  
  --
  "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
19. Re:Is that supposed to be news?? by MillionthMonkey · 2009-11-22 06:29 · Score: 2, Informative
  
  What frigen company has managed to hang on to totally shit piece of web software that depends on windows 6 or 7 to function?
  Who ever they are, they have bigger IT problems than this exploit will ever generate.
  
  A lot of people- you'd be surprised. Earlier this year I worked for a place where at least a third of their customers (from academic departments, mostly) were still using IE6 and various IE5 versions.
20. Re:Is that supposed to be news?? by RobertM1968 · 2009-11-22 06:43 · Score: 2, Informative
  
  old != unpatched.
  For business users, their companies may still insist they use older browsers until they are able to migrate certain software to the new version.
  Or upgrade hardware - we have a variety of customers who's machines are too old to run IE7 or IE8 efficiently, and who have no plans (or budget or whatever) to upgrade their hardware until it dies or is very near death.
  
  --
  StarTrekPhase2 - The Five Year Mission Continues!
21. Re:Is that supposed to be news?? by Anonymous Coward · 2009-11-22 06:50 · Score: 0
  
  Isn't IE5, like, you know, very old?
  But, one of my excuses for sticking with IE6 (and my reason for posting anonymously), is that I can't go past IE6 with Windows XP Pro SP1. And no, I will not install SP2, since it breaks programs.
22. Re:Is that supposed to be news?? by Ralish · 2009-11-22 07:02 · Score: 1
  
  FYI: Microsoft commits to support the version of IE that ships with "x" Windows release for as long as "x" Windows release is supported. For example, IE 6 was shipped with Windows XP and so will be supported until Windows XP ceases to be. What this means is IE 6 is guaranteed to at the very least receive security fixes and limited bugfixes until sometime in 2014 when Windows XP leaves support. Similarly, IE 7 was shipped with Vista and will be supported until Vista ceases to be; contrary to what others may say, this is likely to be a very long time, I'd wager a minimum of 1 decade from RTM.
  That being said, XP users using IE 7 have upgraded to it either consciously or via Automatic Updates and Vista users I suspect are far more likely to have Automatic Updates enabled as the OS has the functionality baked-in from RTM and aggressively encourages the user to enable it. So, while it may be supported for a long time, its userbase may shrink rapidly in contrast to the glacial decline of IE 6.
23. Re:Is that supposed to be news?? by Anonymous Coward · 2009-11-22 07:21 · Score: 1, Funny
  
  You may have noticed that things change a bit faster in the internet. IE 6 _is_ model T.
24. Re:Is that supposed to be news?? by Shetan · 2009-11-22 07:38 · Score: 1
  
  With Ubuntu I have no way of doing that.
  They took cron out of Ubuntu? That seems silly.
25. Re:Is that supposed to be news?? by Rising+Ape · 2009-11-22 08:08 · Score: 1
  
  Software doesn't wear out.
26. Re:Is that supposed to be news?? by Gerald · 2009-11-22 08:35 · Score: 1
  
  Ubuntu: Hey! I want to install some updates!
  Me: Make it so. Now go away.
  Ubuntu: I'm downloading them! Wheeeeee!
  Me: How joyful. Go away.
  Ubuntu: I'm installing the first update! Only eleven to go!
  Me: Great. Go away.
  Ubuntu: Second update!
  Me: Just. Go. Away.
  Ubuntu: Third update! I just love installing updates! Look at the pretty progress bar! Isn't it to die for?
  Me: @#$!!!!@**#@ aaaaaAAAAAAAUUUUUGGGGGHHHH!!!
  It's been awhile since I used Ubuntu on my desktop. Is their software update utility still annoying?
27. Re:Is that supposed to be news?? by ProfessionalCookie · 2009-11-22 08:42 · Score: 0
  
  And there's no excuse for that.
28. Re:Is that supposed to be news?? by pbhj · 2009-11-22 09:47 · Score: 1
  
  Who ever they are, they have bigger IT problems than this exploit will ever generate.
  Cue stories of COBOL running on mainframes from the '70s underpinning major modern banks.
29. Re:Is that supposed to be news?? by Anonymous Coward · 2009-11-22 09:55 · Score: 1, Interesting
  
  No, software in a vacuum doesn't wear out, but security never stays still. OBAuto example:
  In the 1950s, cars used wafer tumbler locks. Mechanically, they were fine, but when people found ways to defeat those, they went to Briggs and Stratton sidebar locks [1], then to either "laser-cut" or sidewinder tumblers, finally to physical and RFID security. The lock itself could last for years or decades, but because car thieves have advanced, they were replaced in subsequent model years with other designs that had harder to duplicate keys and higher pick resistance.
  It is just the same with computer software. Security software can never be static. Even fairly static utilities like pwgen get upgrades with better RNGs as time goes on. Over time, other basic utilities like login have moved the passwd file into two files (/etc/passwd and /etc/shadow), password hashing algorithms changed from crypt(3) to MD5 to SHA, to using a hash, SHA, and using a number of rounds to slow down brute force guessing.
  [1]: GM cars used these for a long time, because they were simple, pick resistant, and could weather all kinds of conditions. However, Briggs & Stratton sold that division to Assa-Abloy or Medeco, staying with their tried and true engines.
30. Re:Is that supposed to be news?? by CyDharttha · 2009-11-22 10:20 · Score: 1
  
  Is their software update utility still annoying?
  No. Although I don't remember a time when it acted like you're describing.
31. Re:Is that supposed to be news?? by neonsignal · 2009-11-22 10:42 · Score: 1
  
  Perhaps the same companies that are still running Windows 2000 because they like to get real work done instead of constantly upgrading user interfaces.
  And looking at the percentage share of IE6 still out there, I'd guess it is quite a few.
  Fortunately Mozillla browsers still support WIndows 2000. Sad for Windows users that the best security is to not use a Microsoft browser.
32. Re:Is that supposed to be news?? by Sophira · 2009-11-22 10:55 · Score: 1
  
  What frigen company has managed to hang on to totally shit piece of web software that depends on windows 6 or 7 to function?
  I think you meant Internet Explorer there. Windows 6 doesn't exist, and Windows 7 is new.
33. Re:Is that supposed to be news?? by cenc · 2009-11-22 11:00 · Score: 1
  
  sorry, yea, Freudian slip perhaps.
  
  --
  Living in Chile
34. Re:Is that supposed to be news?? by Anonymous Coward · 2009-11-22 11:07 · Score: 0
  
  I work for a very large bank, and IE 6 is the corporate standard.
  What can possibly go wrong? Oh wait...
35. Re:Is that supposed to be news?? by Anonymous Coward · 2009-11-22 11:23 · Score: 0
  
  Yeah, forgot about that. My grandma was just telling me about that over breakfast today.
36. Re:Is that supposed to be news?? by Max+Littlemore · 2009-11-22 11:27 · Score: 2, Interesting
  
  Care to name the bank? That should be public knowledge - or at least available to all customers and any potential customers.
  
  --
  I don't therefore I'm not.
37. Re:Is that supposed to be news?? by Tibia1 · 2009-11-22 11:40 · Score: 1
  
  Have we ever done a poll to see who uses what browser?
38. Re:Is that supposed to be news?? by Anonymous Coward · 2009-11-22 12:11 · Score: 0
  
  I did an internship at a large enterprise this summer that manufactures medical equipment; my dad works for the same company (though he's in accounting, and I interned in software engineering). They were still mostly on IE6 with the transition to IE7 slowly taking place, and his work laptop which I just had to use a few minutes ago (whitelisting his MAC in my router) has IE7. Many of their internal web apps were designed for IE6, and the morons in their bureaucracy declared that because they're in a "regulated industry" that they can't have any software on their machines that isn't "audited". (No, from what I can tell they have no idea what FOSS is.)
  Meanwhile, folks in the SE department were all running Chrome and Firefox against company policy.
39. Re:Is that supposed to be news?? by Nefarious+Wheel · 2009-11-22 12:18 · Score: 2, Interesting
  
  Software doesn't wear out.
  Yes it does.
  When the world around a piece of running software changes, that piece of software in the middle often doesn't work like it used to. Yes, it's contextual, but it's also mostly true. It's often (humourously) referred to as the "principle of bit decay".
  Basically, if it works, it's obsolete.
  
  --
  Do not mock my vision of impractical footwear
40. Re:Is that supposed to be news?? by Psaakyrn · 2009-11-22 12:59 · Score: 1
  
  At minimum, this new attack uses code which does not work in IE 8, I assume?
41. Re:Is that supposed to be news?? by Anonymous Coward · 2009-11-22 13:09 · Score: 0
  
  It was either AmEx or one of the airlines that forced us to downgrade a user from IE8 to IE6. I wasn't personally involved but saw the email hit Help Desk and asked about it afterwards.
  
  This kind of thing has interrupted our efforts to move everyone to IE8. This was a vocal user (as executive assistants tend to be).
42. Re:Is that supposed to be news?? by gcerullo · 2009-11-22 13:37 · Score: 3, Funny
  
  No NCSA Mosaic would be a Model-T. IE 6 is a friggin Edsel.
43. Re:Is that supposed to be news?? by nulldaemon · 2009-11-22 13:44 · Score: 1
  
  Yes -- particularly annoying on my netbook when it forces me stop everything while it slowly renders the update manager.
44. Re:Is that supposed to be news?? by dwinks616 · 2009-11-22 14:03 · Score: 0
  
  How much work are they getting done when the Windows 2000 computers get infected with crap-loads of malware due to unpatched (and never will be patched) security holes?
45. Re:Is that supposed to be news?? by Anonymous Coward · 2009-11-22 14:10 · Score: 0
  
  Could be companies like the one I'm contracted to. They run manufacturing facilities, and not only does upgrading their IE6 cause a web program to no longer function, it also causes a different fully external program to not even load.
46. Re:Is that supposed to be news?? by petermgreen · 2009-11-22 14:20 · Score: 1
  
  Isn't IE5, like, you know, very old?
  MMM but according to MS 5.01 SP2, 5.01 SP3 and 5.01 SP4 on win2K are all still supported.
  What I find really odd is that according to MS 5.01 is still supported (and three different service packs of it at that) but 5.5 isn't.
  But, one of my excuses for sticking with IE6 (and my reason for posting anonymously), is that I can't go past IE6 with Windows XP Pro SP1. And no, I will not install SP2, since it breaks programs.
  It did though it was all so long ago that i'd expect most of them to be fixed by now unless you rely on some strange legacy shit.
  Bear in mind that internet explorer life cycles are tied to the underlying version of windows, so while IE6 on XP SP2 and SP3 is still supported IE6 on XP SP1 isn't so you may miss out on some security updates.
  BTW win2K SP4 is still getting security updates (though not for much longer) so a fully up to date win2K box should have less holes than a fully up to date XP SP1 box. If you really rely on stuff that breaks with XP SP2 then 2K SP4 may be a better choice.
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
47. Re:Is that supposed to be news?? by petermgreen · 2009-11-22 14:38 · Score: 1
  
  Vista and will be supported until Vista ceases to be; contrary to what others may say, this is likely to be a very long time, I'd wager a minimum of 1 decade from RTM.
  Your wager would appear to be correct for vista business and enterprise their current plan seems to be a decade and a few months from "general availability" http://support.microsoft.com/lifecycle/?p1=11707 . I doubt they will reduce the dates but they may pull what they pulled with XP recently and claim some fixes are impractical to backport.
  Given how unpopular vista has been in the enterprise I doubt these dates will be extended (unlike 2K and XP which got a lot of extensions over their lifetime).
  The other editions of vista (home basic, home premium and ultimate) are currently listed as not getting extended support presumably because they are considered consumer products. how exactly that will play out remains to be seen (my guess is they will be able to download patches for the core OS but the home specific media stuff will cease to be updated).
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
48. Re:Is that supposed to be news?? by thunderclap · 2009-11-22 15:28 · Score: 1
  
  It won't be when it gets hacked and stolen from. An exec and an IT guy who was doing his job will get fired for it, but hey it was only records. its lazyness that is preventing them.
49. Re:Is that supposed to be news?? by Anonymous Coward · 2009-11-22 15:32 · Score: 0
  
  I'm not sure about that. I considered IE4 a better match for the Edsel. I see IE6 as more of a Pinto.
50. Re:Is that supposed to be news?? by Anonymous Coward · 2009-11-22 15:48 · Score: 0
  
  Drat, improving technology keeps programmers employed.
  It's worse than you realise. Employed programmers keep improving technology, creating a vicious cycle of technological advance compounded by ongoing financial solvency.
  I don't see any way to break this cycle except by government intervention.
51. Re:Is that supposed to be news?? by http · 2009-11-22 15:58 · Score: 2, Interesting
  
  HTML 4 has not changed in over a decade.. EMCA 262 (Javascript) was released almost exactly a decade ago. Version 4 died on the table, and 5 isn't out for a while yet.
  What is the improving technology?
  
  --
  If opportunity came disguised as temptation, one knock would be enough.
  3^2 * 67^1 * 977^1
52. Re:Is that supposed to be news?? by Anonymous Coward · 2009-11-22 16:58 · Score: 0
  
  I work for a countrywide power company and we have several older applications that require IE. What, you think we should rewrite them just because theyre old? With all the attendant risks and issues that could create? Much easier to just keep them and use IE. Hell, some of our applications still use green screen telnet to Unix boxes - but when your billing millions of dollars a month, much easier and smarter to keep using what works rather than continually spending money re-engineering perfectly useable and stable applications.
53. Re:Is that supposed to be news?? by pinkushun · 2009-11-22 18:33 · Score: 1
  
  Especially national banks, approving new major versions is a painful process, talking from experience. better them than me. So much for their secure delayed upgrade security model.
54. Re:Is that supposed to be news?? by Hurricane78 · 2009-11-22 22:55 · Score: 1
  
  Well, if the IT department knowingly insists on using (insecure and horrible anyway) IE, it knowingly insists on destroying the company. Which is a reason to tell the boss that either he kicks the IT department’s asses for trying to destroy his company, or you quit because there is no reason to work for a dying business.
  Simple as that. :D
  
  --
  Any sufficiently advanced intelligence is indistinguishable from stupidity.
55. Re:Is that supposed to be news?? by Anonymous Coward · 2009-11-22 23:37 · Score: 0
  
  So...what's your IP address?
56. Re:Is that supposed to be news?? by RockDoctor · 2009-11-23 00:06 · Score: 1
  
  I think you'll find that "nuisance" is spelt "danger" in this usage.
  
  --
  Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
57. Re:Is that supposed to be news?? by commodore64_love · 2009-11-23 02:54 · Score: 1
  
  >>>Windows 6 doesn't exist, and Windows 7 is new.
  Yes it does. It's called Vista (v.6.0)
  
  --
  "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
58. Re:Is that supposed to be news?? by commodore64_love · 2009-11-23 03:02 · Score: 1
  
  >>>With an atitude like that, you are a nuisance to everyone else on the road.
  Well don't complain to me. Complain to the Maryland State Government that not having car inspections (except at point-of-sale) is dangerous. I don't think you'll get far, since most of the legislators think inspections represent a too-heavy burden on the poor and middle class.
  And I agree with them. Now that I've moved to a state with annual inspections, I'm basically throwing-away $60 a year plus any repairs the garage "finds" in my car (or else I get no sticker). Even when the car hasn't been driven (i.e. less than 1000 miles), they still expect me to pay $30 for the shiny new sticker.
  It's like a disguised, regressive tax.
  
  --
  "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
59. Re:Is that supposed to be news?? by Sophira · 2009-11-23 03:21 · Score: 1
  
  If you're going to be like that, then Windows 7 is Windows 6.1, so technically Windows 7 doesn't exist either.
  You knew full well what I meant. ;p
60. Re:Is that supposed to be news?? by commodore64_love · 2009-11-23 04:39 · Score: 1
  
  I just upgraded from 6 to 7 around two months ago.
  I guess it's time to hop to 8. I'm tired of constantly upgradng everything. I drive an old car built in 1997, and I don't understand why I can't keep running the same browser at least a few years. Yeah I know - constant updating keeps programmers employed.
  
  --
  "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
61. Re:Is that supposed to be news?? by plague3106 · 2009-11-23 04:49 · Score: 1
  
  Um, are you not doing any maintence on the car either? Does it have the same oil, oil filter, air filter, belts, radiator fluid, etc? Updates are maintence, and its a lot easier to update browsers than change your oil. And its free.
62. Re:Is that supposed to be news?? by plague3106 · 2009-11-23 04:52 · Score: 2, Insightful
  
  If inpections are too heavy a burden on people, those people should not have cars then. As far as getting stuck with "repairs" you don't want, either you're not going to someone trustworthy and should find another mechanic, or you should do the inspection yourself upfront so you can call their BS. Most inspections are just quick checks on belts, brake wear, etc, it should be trivial to do it yourself.
  As far as the cost of the inspection, tell that to the state; here its only $20, and only if you pass.
63. Re:Is that supposed to be news?? by An+ominous+Cow+art · 2009-11-23 06:42 · Score: 1
  
  We used to joke about the "Microsoft Paradox": how can their software both suck and blow?
64. Re:Is that supposed to be news?? by kbielefe · 2009-11-23 07:11 · Score: 2, Informative
  
  Allow me to translate from trollspeak. "no way of doing that" means "no way of doing that, that I could find by clicking around for a minute on the GUI." In this case, I don't even think they did that, because there are options to change how often it prompts for updates, and for applying security updates automatically without prompting.
  I really like Ubuntu's choice of default behavior here. Prompting the user to apply updates means no "I lost data because it upgraded while I was in the middle of working on it" kinds of complaints. My wife can wait to apply updates until after an important task she is working on. I can see what packages are being updated before applying them so I know where to be on the lookout for potential problems.
  Maybe it makes me an elitist, but I also like that you have to know what you're doing in order to change that default behavior too much. Most of the complaints about foolproof features in software come from people who don't think they are the fools.
  
  --
  This space intentionally left blank.
65. Re:Is that supposed to be news?? by kbielefe · 2009-11-23 07:40 · Score: 1
  
  IE 6 came out the same year as XP, so IE 5 is only slightly older than the OS you're using.
  By the way, posting anonymously doesn't really help you against exploits like this. You're vulnerable by visiting malicious or infected websites. Hope you either have a really good IPS or never click on links.
  
  --
  This space intentionally left blank.
66. Re:Is that supposed to be news?? by Trogre · 2009-11-23 11:36 · Score: 1
  
  Flash?
  (ducks for cover)
  
  --
  "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
67. Re:Is that supposed to be news?? by QuietObserver · 2009-11-23 13:14 · Score: 1
  
  What makes this Flamebait? This is a simple observation, nothing more. And also, I disagree with those who are comparing upgrading a browser to regular car maintenance; updating the browser is more like regular maintenance, since appearance and interface do not change between updates, while upgrades can change both, and should therefore be compared more to a new year of an old model.
68. Re:Is that supposed to be news?? by http · 2009-11-24 09:08 · Score: 1
  
  You were right to duck for cover. My keyboard (and a bit of my monitor) is now splattered in snork.
  
  --
  If opportunity came disguised as temptation, one knock would be enough.
  3^2 * 67^1 * 977^1
69. Re:Is that supposed to be news?? by duguk · 2009-11-24 10:52 · Score: 1
  
  here its only $20, and only if you pass.
  What?? In the UK it's £56 - or nearly $100 from most garages!
  
  You're a danger to the road without an "MOT", and if you forget, or fail to get your check done; its £1000 fine or $1657. Oh, and they check with ANPR cameras too.
  
  You Americans should really think yourselves lucky, and get your car checked - please don't be a danger to others on the road.
70. Re:Is that supposed to be news?? by Stradivarius · 2009-11-24 11:18 · Score: 1
  
  presumably it's fixes for the variety of nasty bugs in the browser. The spec may not have changed but nothing says the browser software implements them all perfectly, or that it does so without allowing someone to take over your PC courtesy of some bug in the browser's security model, buffer management, etc.
71. Re:Is that supposed to be news?? by plague3106 · 2009-11-25 05:17 · Score: 1
  
  Well it does vary from state to state. Here's its $20, only if you pass, and there's no emissions test. In PA, its around $75 I think, inclding an emmissions test, but pass or fail.
  The point is that I feel that if the inspection amount is too much of a burden, that person should give up the car. A car is one of my biggest expenses, and I would gladly not have one or use it infrequently if I didn't have to.
Oh good Lord *facepalm* by David+Gerard · 2009-11-22 03:39 · Score: 5, Funny

Microsoft Windows has once again trounced all comers in security, with a recent survey showing 59% of all Windows machines on the Internet being infected with malware and under the control of botnets. Malware rose 15% just from August to September this year.
Windows users continued to be stupidly complacent Typhoid Marys, telling Mac and Linux users that they were every bit as susceptible to viruses and Trojans, despite the Windows:Mac:Linux virus proportions in the wild continuing at approximately 100%:0%:0% for the fifteenth year in a row, and pumping out gigabytes of spam and denial-of-service attacks from their thoroughly 0wn3d computing cesspits.
“The truth is out,” said Steve Ballmer, taking care not to wash his hands when preparing the food for his Windows 7 House Party. “Mac and Linux users are just too pussy for viruses. Gotta keep your immune system up! What are you, some sort of faggot? Too artsy or nerdy for MANLY food?”
The time on the digital clock behind him changed at random as he foamed slightly at the mouth. “Windows — we’re NUMBER ONE! And here you were saying Windows was a load of ‘number two.’”

--
http://rocknerd.co.uk
1. Re:Oh good Lord *facepalm* by commodore64_love · 2009-11-22 04:52 · Score: 0, Redundant
  
  >>>with a recent survey showing 59% of all Windows machines on the Internet being infected with malware and under the control of botnets.
  >>>telling Mac and Linux users that they were every bit as susceptible to viruses and Trojans, despite the Windows:Mac:Linux virus proportions in the wild continuing at approximately 100%:0%:0%
  >>>
  Please provide proof or retract. Thanks.
  
  --
  "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
2. Re:Oh good Lord *facepalm* by ColdWetDog · 2009-11-22 05:07 · Score: 4, Funny
  
  *** ALERT ****
  
  Humor Process Failure
  
  (A)bort, (R)etry, (F)lail
  
  --
  Faster! Faster! Faster would be better!
3. Re:Oh good Lord *facepalm* by Blakey+Rat · 2009-11-22 05:28 · Score: 1, Informative
  
  The problem isn't anything Microsoft doing, it's users who don't upgrade their OS. Did you notice the part where this only affects IE6 and IE7? Upgrade to IE8, and, presto, you're immune!
  
  --
  Comment of the year
4. Re:Oh good Lord *facepalm* by Anonymous Coward · 2009-11-22 05:51 · Score: 1, Funny
  
  (F)lail. wait, flail?
5. Re:Oh good Lord *facepalm* by commodore64_love · 2009-11-22 06:28 · Score: 0, Redundant
  
  >>>59% of all Windows machines on the Internet being infected with malware and under the control of botnets.
  >>>Windows:Mac:Linux virus proportions at approximately 100%:0%:0%
  >>>
  Please provide proof or retract. Thanks.
  
  --
  "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
6. Re:Oh good Lord *facepalm* by MillionthMonkey · 2009-11-22 06:35 · Score: 1
  
  The problem isn't anything Microsoft doing, it's users who don't upgrade their OS.
  
  That may be a true description of this problem as it currently stands- but it stems from what Microsoft screwed up in the past.
7. Re:Oh good Lord *facepalm* by Blakey+Rat · 2009-11-22 06:45 · Score: 1
  
  Well, they don't have a time machine, so you'll just have to cope with that somehow.
  
  --
  Comment of the year
8. Re:Oh good Lord *facepalm* by MillionthMonkey · 2009-11-22 07:01 · Score: 1
  
  I don't have a dog in this fight. I'm just calling 'em as I see 'em, like Sarah Palin.
9. Re:Oh good Lord *facepalm* by Anonymous Coward · 2009-11-22 07:37 · Score: 1, Funny
  
  I don't have a dog in this fight. I'm just calling 'em as I see 'em, like Sarah Palin.
  And you were doing so well before that comment.
10. Re:Oh good Lord *facepalm* by Anonymous Coward · 2009-11-22 07:52 · Score: 1, Informative
  
  If you think there are 0% Linux and Mac botnets and malware in the wild, you are seriously uninformed.
  
  http://theappleblog.com/2009/04/24/mac-botnet-how-to-ensure-you-are-not-part-of-the-problem/
  http://blog.trendmicro.com/more-mac-malware-in-the-wild/
  http://lwn.net/Articles/222153/ - Linux botnets
  http://blogs.computerworld.com/14723/no_more_linux_security_bragging_botnet_discovery_worry
  
  This is just a small sample. Let's all take security seriously, and leave religion to the gods. (and to head of the claim that it doesn't count if the user has to install something, like a pirated malware-infected Photoshop for OSX, that is the most common Win vector these days as well. Malware is the problem, not viruses.)
11. Re:Oh good Lord *facepalm* by jpmorgan · 2009-11-22 08:06 · Score: 1
  
  And it's only on XP. Vista and Win7 run IE in a sandbox for extra protection (unless you are a silly person and turned that off).
12. Re:Oh good Lord *facepalm* by MillionthMonkey · 2009-11-22 08:39 · Score: 2, Funny
  
  Thanks!
13. Re:Oh good Lord *facepalm* by ProfessionalCookie · 2009-11-22 08:43 · Score: 1
  
  The proof is in your inbox ;)
14. Re:Oh good Lord *facepalm* by westyvw · 2009-11-22 08:58 · Score: 1
  
  What is this fascination with "upgrading"? IE 8 is not much of an "upgrade" at all, its another version that has its share of problems. I really dislike the windows world of versioning, FOSS generally makes a lot more sense to me. If there are security issues with IE, in 6 7 or 8 they should be fixed as incremental versions. If a complete re-write happened, then it should be released as a new version, and its not really an upgrade, but a change.
15. Re:Oh good Lord *facepalm* by Anonymous Coward · 2009-11-22 09:49 · Score: 1, Interesting
  
  Not all of us can afford the cost of updating our OS...
  Of the 2 systems I own, one is a laptop with a nonfunctional screen (which is still semi-useful for some things via ssh) and the other is a desktop with a CRT. Neither have over 768MB of RAM.
  This isn't going to change anytime soon.
  I just don't have the money to update my hardware, as I'd need to do to run Vista or Win 7 (much less the price of the OS), but I can run fully updated Linux systems no problem.
  I realize this article is about IE, but you mentioned the OS and XP is no longer really supported.
16. Re:Oh good Lord *facepalm* by Nefarious+Wheel · 2009-11-22 12:30 · Score: 1
  
  What is this fascination with "upgrading"? IE 8 is not much of an "upgrade" at all, its another version that has its share of problems. I really dislike the windows world of versioning, FOSS generally makes a lot more sense to me. If there are security issues with IE, in 6 7 or 8 they should be fixed as incremental versions. If a complete re-write happened, then it should be released as a new version, and its not really an upgrade, but a change.
  Be grateful it's a Windows numeric version upgrade, young padawan. The ones with clever names are the ones you need watch out for.
  
  --
  Do not mock my vision of impractical footwear
17. Re:Oh good Lord *facepalm* by Anonymous Coward · 2009-11-22 15:57 · Score: 0
  
  David Gerard is a fucking faggot who wears leather, dresses in goth, and married a fat bitch with red hair. Also, close friend of Roy Schestowitz, the asshole behind BoycottNovell.
18. Re:Oh good Lord *facepalm* by Hurricane78 · 2009-11-22 23:01 · Score: 1
  
  You’re just jealous, that it’s not you who infected those computers. ^^
  
  --
  Any sufficiently advanced intelligence is indistinguishable from stupidity.
19. Re:Oh good Lord *facepalm* by Hurricane78 · 2009-11-22 23:06 · Score: 1
  
  No. You THINK you’re immune. Because MS censors anyone who openly talks about the bugs. Behind closed doors (Russian cracker forums), IE8 and Windows 7 are as open a barn doors.
  The best hosts for your botnet client are those who are too arrogant to think that they could be the targets. ^^
  
  --
  Any sufficiently advanced intelligence is indistinguishable from stupidity.
20. Re:Oh good Lord *facepalm* by Anonymous Coward · 2009-11-23 00:19 · Score: 0
  
  Oh right. Those secret secret forums. If only MS had enough money to buy a mole. God, its a wonder security researchers know anything...
21. Re:Oh good Lord *facepalm* by Anonymous Coward · 2009-11-23 04:53 · Score: 0
  
  You're welcome! (Different AC, but I'm a karma whore)
Versions 6 & 7 by Travis+Mansbridge · 2009-11-22 03:40 · Score: 2, Informative

Specifically versions 6 & 7, says the article.
1. Re:Versions 6 & 7 by Sulphur · 2009-11-22 05:49 · Score: 2, Funny
  
  So if I am using dos and Windows 3.11, I should be safe. Right.
2. Re:Versions 6 & 7 by thunderclap · 2009-11-22 15:30 · Score: 2, Funny
  
  yes! absolutely. But a better suggestion is Commodore 64! its virus free! It NEVER GETS THEM. Hell, Linux can't even say that.
3. Re:Versions 6 & 7 by commodore64_love · 2009-11-23 03:18 · Score: 1
  
  The C64 has had some viruses, but they are easily removed by turning off the computer and then making sure never to load that virus from your disk drive.
  When the Commodore Amiga arrived (1985), there was self-executing code on track 0 of the floppy, and the viruses lodged themselves there. Most of the damage was not caused by the virus itself, but because it could erase the self-booting floppy's data, and then you'd have a $40 game stop working.
  
  --
  "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
Summary needs clarification by Anonymous Coward · 2009-11-22 03:40 · Score: 5, Funny

"According to security vendor Symantec, the code does not always work properly, but it could be used to install unauthorized software on a victim's computer."
So, are they referring to IE or the attack code?
1. Re:Summary needs clarification by click2005 · 2009-11-22 04:55 · Score: 4, Funny
  
  No, they're referring to Symantec's code :)
  
  --
  I am a free slashdotter. I will not be modded, blogged, DRM'd, patented, podcasted or RFID'd. My life is my own.
2. Re:Summary needs clarification by pbhj · 2009-11-22 09:50 · Score: 2, Funny
  
  Is it too much to hope that someone is using this attack vector to upgrade corporate computers from IE6 to something that can render web pages correctly?
3. Re:Summary needs clarification by thunderclap · 2009-11-22 15:31 · Score: 1
  
  Both! But you already knew that.
4. Re:Summary needs clarification by Hurricane78 · 2009-11-22 23:09 · Score: 1
  
  Why would that one not be you? Made-up excuses? ^^
  
  --
  Any sufficiently advanced intelligence is indistinguishable from stupidity.
CSS Behvaiors? by DontLickJesus · 2009-11-22 03:43 · Score: 2, Informative

If I'm interpreting this correctly, it would appear to be a buffer overflow attack against the "style" element. Seeing that IE6-7 are the only current browsers that handle CSS behaviors (basically javascript in CSS) I'm going to make an educated guess and say it stems from the validation (and execution of) Javascript in CSS.

--
Where genius and insanity become confused true wisdom is found
In other news... by Anonymous Coward · 2009-11-22 03:44 · Score: 0

Slackware 3.0, Redhat 2 and OSX 10.1 all still have exploits.
1. Re:In other news... by koiransuklaa · 2009-11-22 04:23 · Score: 4, Insightful
  
  What does that have to do with anything? Fully patched IE 6 and IE 7 are _supported_ products, the ones you list are not.
Not aware of a patch? by kjart · 2009-11-22 03:49 · Score: 1, Interesting

Affected Products
Microsoft Internet Explorer 7
Microsoft Internet Explorer 6
Solution
Disable Active Scripting in the Internet and Local intranet security zones.
VUPEN Security is not aware of any vendor-supplied patch.
I know most of us would like to pretend IE doesn't exist, but they haven't even heard of IE 8?
1. Re:Not aware of a patch? by Mystra_x64 · 2009-11-22 04:04 · Score: 1
  
  They do. Users do not however. Well, at least many just don't care.
  
  --
  Quick way to get 30% Funny 70% Troll: defend Opera browser on /.
2. Re:Not aware of a patch? by tepples · 2009-11-22 04:06 · Score: 2, Informative
  
  VUPEN Security is not aware of any vendor-supplied patch.
  I know most of us would like to pretend IE doesn't exist, but they haven't even heard of IE 8?
  Microsoft doesn't make IE 8 for older versions of Windows such as Windows 2000. It'd be like saying Windows 7 is a "vendor-supplied patch" for Windows Vista.
3. Re:Not aware of a patch? by Anonymous Coward · 2009-11-22 04:06 · Score: 1, Interesting
  
  IE 8 is not a patch since it requires reading a new EULA. I'll stick with the version that does less spying thank you.
4. Re:Not aware of a patch? by supersloshy · 2009-11-22 04:08 · Score: 1
  
  They said that it affects old versions of internet explorer.
  
  --
  "Our country is not nearly so overrun with the bigoted as it is overrun with the broadminded." -Archbishop Fulton Sheen
5. Re:Not aware of a patch? by mpe · 2009-11-22 04:45 · Score: 1
  
  I know most of us would like to pretend IE doesn't exist, but they haven't even heard of IE 8?
  
  There are plenty of web apps (especially in the "Enterprise" environment) which depend of quirks of specific browsers. Most commonly IE6. Using a different browser means making major changes. At which point it probably dosn't matter if the change were to be to Firefox, Opera, Safari, etc. Indeed there are versions of Windows which won't run IE8, but will run modern non Microsoft browsers.
  Indeed if things are web based then without a requirement for IE something akin to "Google OS" might make rather more sense than Windows. Especially if the result is small enough to be reasonably started by PXE.
6. Re:Not aware of a patch? by funkatron · 2009-11-22 04:55 · Score: 1
  
  So what you're saying is that people still run a crap browser because they need it to use badly written software. Surely one of the main reasons for having web based applications in the first place is to get some independence from the clients' platform.
  
  --
  "Welcome to our world. We are the wasted youth. And we are the future too." Yes, I know these are stupid lyrics.
7. Re:Not aware of a patch? by Anonymous Coward · 2009-11-22 05:15 · Score: 0
  
  Nah. The main reason is that for some enterprise tasks, web apps are simply more convenient. You can link to them from an intranet web page, cross link them, push updates by replacing files on the server side, etc. Active X on IE 6 got the job done, so some people used that.
8. Re:Not aware of a patch? by 0123456 · 2009-11-22 06:07 · Score: 3, Insightful
  
  Surely one of the main reasons for having web based applications in the first place is to get some independence from the clients' platform.
  You haven't been in IT long, have you?
9. Re:Not aware of a patch? by Anonymous Coward · 2009-11-22 06:35 · Score: 0
  
  So IE8, then? Dickwad.
10. Re:Not aware of a patch? by lamapper · 2009-11-22 22:41 · Score: 1
  
  There are plenty of web apps (especially in the "Enterprise" environment) which depend of quirks of specific browsers. Most commonly IE6. Using a different browser means making major changes. At which point it probably dosn't matter if the change were to be to Firefox, Opera, Safari, etc. Indeed there are versions of Windows which won't run IE8, but will run modern non Microsoft browsers.
  Only if some pin headed manager allowed his web developers to continue to code sites with IE specific hacks.
  I learned back in the Netscape days, if you developed in Netscape it just worked in all other browsers, however if you developed in Internet Explorer, you would invariably use some IE specific coding that would break in many if not all non IE browsers.
  Microsoft made a business decision to attempt to corrupt the W3 standards with IE specific crap for vendor lock-in reasons only. Some people stupidly bought into this and are paying with crackers, problems with Active X and many other non secure coding of web pages. They made their bed, let them lie in it. The fact is they had a choice and typical of Microsoft, they chose to attempt to vendor lock-in in order to Extinguish later. Pathetic and lame.
  I still hit websites, in 2009, that do not display right in Firefox, what crap, fortunately there are other sources to get that information and I leave that website never to return...their loss, not mine. Later.
  
  --
  Is your Internet Throttled? Install DD-Wrt, OpenWRT or Tomato to learn the truth! Google: 1Gbps/1Gbps: 5 Communities
11. Re:Not aware of a patch? by mpe · 2009-11-22 23:04 · Score: 1
  
  Surely one of the main reasons for having web based applications in the first place is to get some independence from the clients' platform.
  
  Not in the minds of certain web developers. It gets especially ironic where you have Apache running under Linux refusing to talk to anything other than IE running under Windows, by deliberate design.
Firefox by 1s44c · 2009-11-22 03:56 · Score: 0, Redundant

The only people still using internet exploder are people who don't care about security. They have ignored more than enough warnings and deserve what they get.
The rest of the world is already using firefox, opera, or whatever the OS X browser is called.
1. Re:Firefox by Inschato · 2009-11-22 04:51 · Score: 1
  
  Safari
2. Re:Firefox by Tim+C · 2009-11-22 04:52 · Score: 2, Insightful
  
  The only people still using internet exploder are people who don't care about security.
  Or perhaps they just don't know about that sort of thing, and expect their computer to just work, just as their TV, fridge, microwave, phone, etc all just work?
  or whatever the OS X browser is called
  First you lambaste people for not knowing enough about IE and its alternatives, then you admit to not knowing enough about Safari. Beautiful.
  
  --
  It's official. Most of you are morons.
3. Re:Firefox by Anonymous Coward · 2009-11-22 04:53 · Score: 0
  
  The only people still using internet exploder are people who don't care about security.
  Not true. we're using IE7 at my company because of some boneheaded decisions way back when that tied online applications to the browser version. That is, they used browser specific HTML that doesn't work correctly with IE8.
4. Re:Firefox by CastrTroy · 2009-11-22 05:47 · Score: 1
  
  Or perhaps they just don't know about that sort of thing
  They don't know because they don't care. A computer is a lot more complicated than a TV, fridge, microwave or phone. If you want to compare it in complexity to another thing that many people own, the only thing comparible would be a car. People know that cars require maintenance to keep them running well. Computers are no different in this respect.
  
  --
  
  Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
5. Re:Firefox by Anonymous Coward · 2009-11-22 07:09 · Score: 0
  
  The only people still using internet exploder are people who don't care about security. They have ignored more than enough warnings and deserve what they get.
  The rest of the world is already using firefox, opera, or whatever the OS X browser is called.
  I care about security, and I think you would be hard pressed to document that Firefox is more secure than IE8 in protected mode (sandboxed, reduced user privileges). Yes you can find reported vulnerabilities in IE8, but most security companies announce far more for Firefox these days. Including pretty severe ones like we discussed here a couple of days ago: http://it.slashdot.org/story/09/11/20/1257232/Zero-Day-Vulnerabilities-In-Firefox-Extensions
  
  "Firefox most vulnerable browser, Safari close second": http://www.net-security.org/secworld.php?id=8489 . Secunia is saying pretty much the same thing.
6. Re:Firefox by Rising+Ape · 2009-11-22 08:16 · Score: 1
  
  Cars need maintenance because parts wear out or have limited lifespans. Software isn't like this, it doesn't degrade over time. Security or bug-fixing patches to software are equivalent to manufacturers' recalls to repair design flaws. If you had to take your car back every month for the latest set of fixes, I think you'd have reason to be annoyed.
  Of course, this sloppiness may be justified in that it allows software to be released much more quickly and cheaply, and after all it *can* be patched later much more easily than a car and nobody's going to die if it goes wrong.
7. Re:Firefox by argent · 2009-11-22 12:20 · Score: 1
  
  The IE8 sandbox is deliberately leaky, and doesn't protect you against people stealing access tokens (passwords, etcetera) for your online assets. It is a mitigating factor, but doesn't reduce the surface area exposed to attack.
  And so long as design flaws like ActiveX remain part of the Microsoft HTML ecosystem, IE will continue to have a larger surface area.
8. Re:Firefox by Anonymous Coward · 2009-11-23 03:48 · Score: 0
  
  You sure do cry a lot for a 5-digit uid.
A great reason to choose Firefox by simsodep · 2009-11-22 03:59 · Score: 4, Informative

There is another story about JS loading with IE7 & IE8. According to 4 of my testers (and a test I did after using the same environment), it seems that we can't login to our site so dep using Internet Explorer 7 and 8, on Win XP (and maybe Vista, not tested). After validating the form, we are back to login page, without any error, but like we are unauthenticated. On the other hand, Firefox does its great job.
1. Re:A great reason to choose Firefox by jbacon · 2009-11-22 04:30 · Score: 2
  
  It sounds like the root flaw actually lies in your own login implementation. I guarantee that IE is capable of handling sessions. If you have a website that makes you money, you should realize a couple points: First, most of your userbase runs IE. Having the site unusable in said browser is very bad. Second, special casing code for IE is a fact of life in the web development world, and you should just get used to it.
2. Re:A great reason to choose Firefox by Zero__Kelvin · 2009-11-22 05:15 · Score: 3, Interesting
  
  "It sounds like the root flaw actually lies in your own login implementation."
  
  "Second, special casing code for IE is a fact of life in the web development world, and you should just get used to it."
  It looks like there is a root flaw in your logic implementation there jbacon. You are right about the special casing needs, but a simple redirection to a page explaining that they are using a non-standards compliant virus sink with links to getfirefox.com and articles backing up the claim would be much more effective in the long run. In fact, if there weren't so many web designers with root flaws in their logic akin to yours, it would benefit in the short run. About the third or fourth time the user had to choose to use a standards compliant web browser or stop visiting the site(s) they want to visit, they would get the message.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
3. Re:A great reason to choose Firefox by tokul · 2009-11-22 05:26 · Score: 1
  
  There is another story about JS loading with IE7 & IE8. According to 4 of my testers (and a test I did after using the same environment), it seems that we can't login to our site so dep using Internet Explorer 7 and 8, on Win XP (and maybe Vista, not tested). After validating the form, we are back to login page, without any error, but like we are unauthenticated. On the other hand, Firefox does its great job.
  
  So you use some complex login tracking setup and can't trace why IE is failing. Looks like your setup issue and not something specific to some browser. Mind sharing how you break simple session cookie or id tracking to the point that you can't understand why some browser fails?
4. Re:A great reason to choose Firefox by Anonymous Coward · 2009-11-22 05:28 · Score: 0
  
  Yeah, they'd get the message that YOU are a DICK and they're glad to not do business with you because there is somebody nice around to hold their hand and whisper sweet nothing in their ears.
  Or something like that.
  Tough love doesn't work when somebody else benefits from undercutting you.
  And no, it won't change.
5. Re:A great reason to choose Firefox by thePowerOfGrayskull · 2009-11-22 07:04 · Score: 1
  
  It looks like there is a root flaw in your logic implementation there jbacon. You are right about the special casing needs, but a simple redirection to a page explaining that they are using a non-standards compliant virus sink with links to getfirefox.com and articles backing up the claim would be much more effective in the long run
  Because turning away potential customers who don't have a choice inthe browser they use (a huge corporate population is stuck on IE6) is always a sound strategy....
6. Re:A great reason to choose Firefox by Zero__Kelvin · 2009-11-22 07:31 · Score: 1
  
  "Because turning away potential customers who don't have a choice inthe browser they use (a huge corporate population is stuck on IE6) is always a sound strategy...."
  I was unaware that huge corporations don't have a choice when it comes to web browsers!
  
  The users that are doing legitimate business will file a ticket against the issue. I have a feeling that when IT gets thousands of tickets a day, all complaining that they were incompetent morons who decided on a non-standards compliant piece of garbage as their companies browser, the people that management brings in to replace those IT "professionals" will certainly make the switch to something compliant and secure.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
7. Re:A great reason to choose Firefox by Tim+C · 2009-11-22 07:46 · Score: 2, Insightful
  
  More likely the users would complain, management would haul the IT chief in to a room to ask what was going on, and he'd explain that the users were wasting lots of time filing frivalous tickets trying to access sites for non-work purposes, and management would issue a statement telling them to stop wasting time and money.
  In the home space, people would simply go "Huh? But then I won't be able to use my other webs!" and go somewhere else - especially if it's a commercial site they were looking to make a purchase from. Amazon won't serve me? I'll go to B&N, or eBay, or any of a huge number of other companies that will be more than happy to take my business.
  
  --
  It's official. Most of you are morons.
8. Re:A great reason to choose Firefox by Zero__Kelvin · 2009-11-22 08:02 · Score: 1
  
  "he'd explain that the users were wasting lots of time filing frivalous tickets trying to access sites for non-work purposes ..."
  Your assumption is that web browsers are used at work only for non-working purposes. Since that isn't true, if the IT "cheif" told that lie his lie would quickly be exposed, and he would be replaced.
  
  "Amazon won't serve me? I'll go to B&N, or eBay, or any of a huge number of other companies that will be more than happy to take my business."
  You're really not getting this concept at all, are you? When the user went to B&N, same thing. Amazon? Same thing. Rather than saying "OMFG", Microsoft has us by the short hairs and all our websites are belong to Billmer, it is possible to do something about it . When Matt Lowry is interviewing Jeff Bezos to ask about his heroic act of taking a short term hit on profits to protect the buying public from a huge security risk the free publicity and advertising along with the shift in public perception from "Amazon just wants my money" to "Amazon has my back!" will pay dividends many times over.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
9. Re:A great reason to choose Firefox by Anonymous Coward · 2009-11-22 08:26 · Score: 0
  
  This is probably the most naive and ridiculous suggestion I've ever seen. The real-world analogy would be telling somebody in a wheel-chair that you're not installing an accessible ramp to your store, and providing them with instructions about how to walk.
  Also, assuming you are still employed, do your immediate superiors know that a lowly code monkey is arbitrarily deciding company policy because he doesn't feel like writing conditionals for the 70%+ of his customers that visit their site with IE?
  Note: This post was written in Safari. Thanks for being compatible, Slashdot :)
10. Re:A great reason to choose Firefox by pclminion · 2009-11-22 09:49 · Score: 1
  
  Okay dude. Set down the crack pipe. We're not evangelizing here, we're trying to make money. When's the last time you got scolded while trying to buy something? You probably canceled your purchase and stormed out. Bet you didn't ever go back, did you?
11. Re:A great reason to choose Firefox by Anonymous Coward · 2009-11-22 10:11 · Score: 0
  
  Man you're a fucking moron.
12. Re:A great reason to choose Firefox by petermgreen · 2009-11-22 14:54 · Score: 1
  
  The users that are doing legitimate business will file a ticket against the issue.
  Of course there are a lot of websites that people use at work a lot but not for work related purposes. Slashdot would be an example of such a site.
  Even if the user is doing legitimate business stuff do you think they are more likely to try and fight the bureaucracy and if they win maybe come back and order something from you months later or just move on and get what they need somewhere else?
  The only way such an act could work is if a large number of large websites got together and did it at the same time. Something I doubt would happen.
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
13. Re:A great reason to choose Firefox by Zero__Kelvin · 2009-11-22 15:01 · Score: 1
  
  "Slashdot would be an example of such a site."
  When you make false assumptions, your conclusions will necessarily be mistaken. Many people use Slashdot for work related activities. There is a lot of garbage here, but there is a lot of stuff related to your work if you have a real High Tech job.
  
  "The only way such an act could work is if a large number of large websites got together and did it at the same time. Something I doubt would happen."
  You obviously haven't read the rest of my posts on this subject; specifically the one where I address this using Amazon and Jeff Bezos as an example.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
14. Re:A great reason to choose Firefox by petermgreen · 2009-11-22 15:37 · Score: 1
  
  You obviously haven't read the rest of my posts on this subject; specifically the one where I address this using Amazon and Jeff Bezos as an example.
  Your original post:
  It looks like there is a root flaw in your logic implementation there jbacon. You are right about the special casing needs, but a simple redirection to a page explaining that they are using a non-standards compliant virus sink with links to getfirefox.com
  Read in the context of the post you were replying strongly implies that you were reccomending this is a course of action to ordinary web developers. Along with most of the others replying to you I believe such an action would be pretty close to suicidal for any business operating on-line.
  When someone pointed this out you responded by moving the goalposts:
  You're really not getting this concept at all, are you? When the user went to B&N, same thing. Amazon? Same thing.
  If you could get all the major online supplier to do it at the same time then I accept that they might make some headway. However I think the chances of them colluding like that are pretty low given they have no real business reason to do so, the large risks if someone breaks ranks and the fact that even if it was successful it would likely cause a lot of delay to customers.
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
15. Re:A great reason to choose Firefox by Zero__Kelvin · 2009-11-23 06:27 · Score: 1
  
  "The real-world analogy would be telling somebody in a wheel-chair that you're not installing an accessible ramp to your store, and providing them with instructions about how to walk."
  At first I didn't think the analogy held, until I realized that the person in your analogy can walk, and just didn't know it, until I told them, at which point they came rising out of the chair and never had to be so encumbered again! Great analogy. Thanks ;-)
  
  (Too bad your an anonymous coward, and will never learn from your own mistake.)
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
16. Re:A great reason to choose Firefox by ajlisows · 2009-11-23 17:46 · Score: 1
  
  Are you insane? "No, you can't do business with us unless you install the browser that we like." For the sake of argument, let us say that I am a very non technical user (albeit one with a good deal of money) who has a hard time doing anything outside of clicking on Outlook to get EMAIL, clicking on Word to create documents, and clicking on Internet Explorer to browse the web. Now you are telling me that you expect me to download some Godzilla Flaming Fox thing in order to order stuff from you? That sounds like a lot of trouble at best, some interweb hacker thing to steal my information at worst. I'm going elsewhere.
  I recently gutted the main menu on my company's web site because the thing didn't load 20% of the time and was really poorly written. My first try at it, it worked with IE7, IE8, and Firefox. I figured it would be fine. Calls started coming in from people unable to navigate our site at all. If I had walked into the President's office and explained that I am going to put some type of notice that the customer should just upgrade their browser, he would have either A. Laughed at the funny joke I made and told me to go fix it or B. Sacked me on the spot if he realized I was serious.
  I like open source software. I like compliance to standards. I hate IE 6 (actually 7 and 8 too, but mostly 6). Unfortunately, it is my job to make the tech work for the users, not make the users do things to work with my tech. That sort of mind set will put you out of business pretty quickly unless your clients are almost entirely high tech.
17. Re:A great reason to choose Firefox by Zero__Kelvin · 2009-11-23 22:38 · Score: 1
  
  "Are you insane?"
  No, but as you point out, most of the people in the world certainly are ;-)
  
  I guess it never occured to you to take the middle road and encourage them to upgrade without requiring it. You could set a cookie so that you don't "annoy" them with your incessant pleas to stop making the internet a clusterfuck for everyone. You may well have a boss that has no clue, and that might mean you can't be one of the first to do the sane thing. That doesn't make the idea itself insane.
  
  Finally, if you re-read my post you will realize you mischaracterized what I said. I didn't say to recommend they upgrade their browser. I said to point out a number of facts, like the fact that the FBI has issued a statement recommending that nobody use IE due to national security concerns*, and offer to help them move from an insecure browser to a much more secure one.
  
  * (They later retracted this statement under political pressure, so you might need to find a better one to use, but you get the idea)
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
What the world needs by hey! · 2009-11-22 04:04 · Score: 4, Interesting

is a definitive software engineering treatise on the history of IE security exploits.
It is certainly true that there is a kind of economic network effect going here. For many years we saw so many web sites that only worked properly with IE because IE was so dominant. The same factor naturally attracts black hats looking for systems to exploit. Once we factor that out, what can we learn from how IE was conceived and maintained?
Did clumsy code-reuse and maintenance play a significant role? That is did they stretch existing code to do things it hadn't been designed to do because it was close enough to pass the demo test on time? That's a decision we all face; we'd all *like* to rewrite things better when we take a look at them, but in the real world we've got to ship good enough code on a deadline to justify our salary. I think MS might be particularly vulnerable to the "killer demo" imperative. They are a business that is dependent on organizations choosing entire MS product stacks because they *anticipate* something they're going to need in the future will be dependent on something else in that stack.
Did "business strategy" considerations confuse priorities for system requirements? E.g., The decision to make IE a fundamental part of the OS allowed MS to gain control of (destroy) the browser market while evading anti-trust regulation. Did that result in undesirable coupling of IE to the underlying system? Did the desire to leverage browser market dominance to give other MS products a competitive advantage create confusion in requirements or priorities?
Were there cultural attitudes that made security and quality secondary? E.g. Did MS value having shiny new features soon before doing a quality implementation? Did their success at achieving effective control of the browser market cause them to under-invest in maintenance because they had no competition worth worrying about?
These are the kinds of things I'd like to know. It's almost past the point where any individual security flaw in IE is interesting to me, because there have been so many and will be so many more. It's time for a really first rate summing up by somebody who knows what he's talking about.

--
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
1. Re:What the world needs by DoofusOfDeath · 2009-11-22 04:14 · Score: 2, Interesting
  
  is a definitive software engineering treatise on the history of IE security exploits.
  Yup. We definitely need a "Truth and Reconciliation Commission" for what Microsoft has done to us. Whether or not to prosecute them later is a political decision. ;)
2. Re:What the world needs by ColdWetDog · 2009-11-22 05:14 · Score: 1
  
  Yup. We definitely need a "Truth and Reconciliation Commission" for what Microsoft has done to us. Whether or not to prosecute them later is a political decision. ;)
  I was thinking more along the line of the Nuremberg Trials.
  
  --
  Faster! Faster! Faster would be better!
3. Re:What the world needs by Zero__Kelvin · 2009-11-22 05:17 · Score: 1
  
  "Did clumsy code-reuse and maintenance play a significant role? "
  I don't know. Let's just go grab the code and take a loo .... oh, wait. Never mind.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Google strikes back by sagematt · 2009-11-22 04:42 · Score: 2, Funny

Which butthurt Google Chrome Frame developer found out about this?
Use this to Install IE8 by Anonymous Coward · 2009-11-22 04:44 · Score: 0

Someone should write some code to use this vulnerability to install and run the IE8 update program.
1. Re:Use this to Install IE8 by JustOK · 2009-11-22 04:51 · Score: 1
  
  that's just mean.
  
  --
  rewriting history since 2109
2. Re:Use this to Install IE8 by Tim+C · 2009-11-22 04:57 · Score: 1
  
  In the UK that would fall foul of the Computer Misuse Act; other countries have similar laws.
  It's also a really, really stupid idea, only marginally less anti-social than writing traditional malware.
  
  --
  It's official. Most of you are morons.
3. Re:Use this to Install IE8 by Thinboy00 · 2009-11-22 06:39 · Score: 1
  
  Someone should write some code to use this vulnerability to install and run the IE8 update program.
  A real white hat would go the whole hog and install Firefox.
  
  --
  $ make available
4. Re:Use this to Install IE8 by pbhj · 2009-11-22 09:52 · Score: 1
  
  Someone should write some code to use this vulnerability to install and run the IE8 update program.
  A real white hat would go the whole hog and install Firefox.
  With an IE6 theme so they don't notice.
U.S. Government by WED+Fan · 2009-11-22 05:03 · Score: 1

This is a huge problem. Many U.S. Government agencies have yet to move off of IE6. Especially the military. Mostly due to IT management contracts that require the gov't to pay for every little upgrade action. For a simple upgrade, one agency gets tagged per profile per month by the company that runs their IT. That same company has a policy of being 2 versions behind current. Meaning, it is actual policy to be running IE6, Office 2003, and XP/Server 2003. The approval process is so overtaken with red tape and time that most give up trying to get upgrades. One agency just recently removed NETSCAPE from their builds. NETSCAPE!
All it takes is a hostile government to set up a few magnet sites, get banner ads deployed, and bam, your U.S. Government has rampant infections. Is it any wonder we read, from time to time, about gov't employees being prohibited from going to certain sites?

--
Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong fix.
1. Re:U.S. Government by csartanis · 2009-11-23 02:49 · Score: 1
  
  Netscape is probably still more secure than IE6...
Hypocrits! by Anonymous Coward · 2009-11-22 05:09 · Score: 5, Insightful

So, isn't the responsible thing to do to notify Microsoft, and given them adequate time to produce a patch?
By posting the exploit to a public list, this guy is basically handing the bad guys a weapon. That's criminal. But because it's a Microsoft product, the Slashdot folks just eat that up -- Hey, fuck'em, they're running Wind0ze!!!111
1. Re:Hypocrits! by Anonymous Coward · 2009-11-22 07:45 · Score: 0
  
  What? The man who exposes an existing problem is now the criminal?
  Microsoft is the criminal for putting code on your computer which is capable of deleting your hard drive / downloading kiddie porn / etc.. Internet Explorer, as a computer program, works exactly how it's coded. Every single security hole is the result of a programmer writing some (hopefully accidentally) naughty code.
  I keep hearing this notion that computer security is like physical security, that how much security you get is a function purely of how much you pay. It's really the opposite: in the physical world no matter how strong a wall you raise, an attacker with enough money can build a weapon strong enough to penetrate it. The attacker can always win by applying more money/strength. In a computer, the computer never does anything it wasn't told to do as part of its software. If the computer won't listen to instructions from strange websites telling it to install pieces of software, then there's nothing an attacker can do. The defender has a natural advantage.
  Once a vulnerability is found it is, of course, polite to inform the vendor and let them know, but it is in no way the responsibility of the attacker or researcher to do so. Since you felt Microsoft is being unfairly singled out, I should mention that there's a good reason: Microsoft has stopped considering vulnerability reports in their software. They accept them, acknowledge them, ask the finders to keep them secret (usually by claiming that they're working on the fix right this moment), but ultimately they don't fix them until one shows up in the wild. To Microsoft, a known but not yet exploited bug is considered zero-priority since they have so many bugs which are being actively exploited. Because of this policy, early notification to Microsoft is useless.
2. Re:Hypocrits! by Psaakyrn · 2009-11-22 13:04 · Score: 1
  
  There already is a patch, it's called IE 8.
3. Re:Hypocrits! by Kingrames · 2009-11-22 13:31 · Score: 1
  
  Welcome to 2009.
  Whether it is known by the public is irrelevant, it's already in the hands of crackers and terrorists.
  
  Once the people know about it, THEN it's possible for some good to come of it.
  
  --
  If you can read this, I forgot to post anonymously.
Re:Really? by Anonymous Coward · 2009-11-22 05:31 · Score: 1, Insightful

Presumably you run it with no extensions, then?
MS could have found+fixed it by obarthelemy · 2009-11-22 05:41 · Score: 1

but all their code security auditors were working on the Chrome plugin :-p^

--
The Cloud - because you don't care if your apps and data are up in the air.
Wait a minute! by Anonymous Coward · 2009-11-22 06:15 · Score: 1, Funny

You upgraded the stable IE6 to BETA IE8?...(I mean IE7).
Nope by WD · 2009-11-22 06:34 · Score: 1

Not quite. There's no JavaScript in the CSS, nor is there a buffer overflow.
Windows 3.11 by MillionthMonkey · 2009-11-22 06:38 · Score: 1

I think most worms these days will check the version and refuse to run until you provide an update for them to infect.
Re:Really? by Thinboy00 · 2009-11-22 06:40 · Score: 1

Presumably you run it with no extensions, then?
No, it's much more secure with NoScript.

--
$ make available
Re:yuo F4il it by Thinboy00 · 2009-11-22 06:41 · Score: 1

Wrong URL.

--
$ make available
LOL by MillionthMonkey · 2009-11-22 06:57 · Score: 1

...a simple redirection to a page explaining that they are using a non-standards compliant virus sink with links to getfirefox.com and articles backing up the claim would be much more effective in the long run. In fact, if there weren't so many web designers with root flaws in their logic akin to yours, it would benefit in the short run. About the third or fourth time the user had to choose to use a standards compliant web browser or stop visiting the site(s) they want to visit, they would get the message.

It sounds like a repetitive Ayn Rand novel with all the intellectual web designers going on a new strike every time less buggy browser versions come out.
1. Re:LOL by Zero__Kelvin · 2009-11-22 07:25 · Score: 1
  
  "It sounds like a repetitive Ayn Rand novel with all the intellectual web designers going on a new strike every time less buggy browser versions come out.
  That's probably because you mistakenly think that IE not being standards compliant, and Windows in general turning your computer system into a petri disk are the result of bugs rather than an intentional part of the design. One would be foolish to claim that Microsoft doesn't intentionally make their software products non-compliant. If you pay attention and study your M$ history well, the fact that the virus propogation is by design as well becomes readily apparent.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
2. Re:LOL by MillionthMonkey · 2009-11-22 08:32 · Score: 1
  
  As true as that may be, if you refuse to serve pages to people with old browsers they won't "get the message" you imagine.
  
  Essentially what you suggested would require that everyone in the world who serves HTML pages should join in a concerted effort to dictate terms to those in the larger public who request them. HTML is too cheap to get away with that.
MSIE version 8 is not known, according to TFA. by jbn-o · 2009-11-22 07:10 · Score: 2, Interesting

The problem isn't anything Microsoft doing, it's users who don't upgrade their OS. Did you notice the part where this only affects IE6 and IE7? Upgrade to IE8, and, presto, you're immune!
Some users, like office workers, are not in control of the computers they use and cannot switch away from what they were given. Sometimes they were set up with particular versions of software to suit other programs. The "Banner" system some universities use, for instance, requires MSIE7 and a particular old version of Sun's Java runtime. Certain sections of Banner don't work properly with non-MSIE browsers like Firefox. I understand this is an extremely costly system and switching away is considerably complicated. I'm not endorsing these choices or claiming any of these choices is wise, but it is there.
The article also says the status of MSIE8 is not mentioned by the researchers: "Neither company [Symantec and Vupen] was able to confirm that the attack worked on Microsoft's latest browser, IE 8.". What part of what article were you referring to?

--
Digital Citizen
So this means it's just like IE? by DJRumpy · 2009-11-22 07:37 · Score: 1

"According to security vendor Symantec, the code does not always work properly, but it could be used to install unauthorized software on a victim's computer."
Does this mean it's on a level playing field with old versions of IE? It does not always work properly, and can install unauthroized software on a victim's computer?
1. Re:So this means it's just like IE? by Sfing_ter · 2009-11-22 09:51 · Score: 1
  
  so it is like most of the programs from microsoft... sigh.
  
  --
  A computer once beat me at chess, but it was no match for me at kick boxing. Emo Philips
my take on this by Anonymous Coward · 2009-11-22 07:46 · Score: 0

This is my first comment on slashdot, and I'm quite annoyed by "windows" security is bad.
Each sw has problems, and will continue to have problems.
IMHO, you can measure security by one aspect only today: response time.
One could argue that the pure number of problems is also relevant, but this numbers are irrelevant as one vendor would not disclose all problems, where another one may disclose all. Also priorities may differ (critical bug for one company may not be so big to another). So in the end you would end up with relatively higher number of problems for the other vendor, but if they take 5 days to fix the issue, where the first one takes 15 days, I'd pick the one with faster response time any time.
So, we would probably see how long will it take for Microsoft to fix the issue.
But for me, one of the HUGE problems with patching is that each time you install something (on Tuesday:)) you have to reboot your PC (I can remember only few occasions where I did not have to reboot), where for instance you would reboot Linux only if kernel is updated (at least in my experience).
And this brings another problem - sometimes I can't reboot the system so I postpone installation of patches by many weeks so I make my system susceptible to attack..
There :)
My pick by jonaskoelker · 2009-11-22 08:16 · Score: 1

(A)bort, (R)etry, (F)lail
I'm thinking +5 Epic Flail.
1. Re:My pick by Anonymous Coward · 2009-11-23 11:13 · Score: 0
  
  (A)bort, (R)etry, (F)lail
  I'm thinking +5 Epic Flail.
  In case you don't know the difference: this is a flail, and this is an Epic Flail!
Don't think you're safe if you run OSX or Linux by bXTr · 2009-11-22 10:00 · Score: 1

Thanks to products like VMware, Virtual Box and Boot Camp, Mac and Linux users can be just as vulnerable as Windows users to viruses, bots and malware. Even though it's in its own virtual environment, if you have something like FUSE running within it to make your host filesystems available, anything infecting the guest OS can access files on the host. Make sure the VM software runs as a non-privileged user to mitigate these problems.
If you're on an IT managed PC at work, where you're not allowed to install software, get a thumb drive, go to PortableApps.com, download Firefox Portable Edition or Google Chrome Portable, install it (not in the Windows Installer sense) to your thumb drive and use it for web browsing on the Internet. Only use IE for web browsing on your corporate intranet or if you really, really, really, really, really have to for a site on the Internet that you trust.

--
It's a very dark ride.
And the mechanism is: by Anonymous Coward · 2009-11-22 10:03 · Score: 0

Javascript. It is a bad thing. Let's all grow a collective brain, realize it's not worth the trouble, and let's all stop using it.
At the risk of redundancy... by icannotthinkofaname · 2009-11-22 13:16 · Score: 1

Symantec is idiots.
From TFA:

"To minimize the chances of being affected by this issue, Internet Explorer users should ensure their antivirus definitions are up to date, disable JavaScript and only visit Web sites they trust until fixes are available from Microsoft," Symantec said.
Or...perhaps to minimize the chances of being affected by this issue, Internet Explorer users could STOP USING IE! Or at least upgrade to IE8, because that's all, like, officially released and stuff.
I mean, I realize that Symantec is an antivirus company and all, but this is just stupid to a ridiculous degree.

--
Let q be a radix > 1. I am in ur base-q, killing 10 d00ds.
MOD PARENT DOWN by Anonymous Coward · 2009-11-22 16:15 · Score: 0

Seriously, who's the idiot who keeps modding up this crackpot conspiracist? It's well known that this a troll account; it shouldn't have anything but a -1 karma.
FUD...scare em into buying IE8 by lamapper · 2009-11-22 22:28 · Score: 1

So 40% of market is IE6 and IE7, lets move em to IE8...print article on exploit...but this is not new, people know turning off JavaScript fixes it. Doesn't matter, print the article, we need the revenue... How convenient that they "did not know" if the exploit will work on IE8, of course it will, if it works at all, see last line. Come on already, this is so obviously FUD (especially in the FEAR department). And if their PC + OS will not run IE8, even better more revenue when they buy Windows 7 or Vista plus. really, Really, REALLY, why do I feel like I am in a South Park episode? Probably because this is MORE FUD! Most telling statement in article, "...the code does not always work properly, but it could be used to..."

--
Is your Internet Throttled? Install DD-Wrt, OpenWRT or Tomato to learn the truth! Google: 1Gbps/1Gbps: 5 Communities
use this by Anonymous Coward · 2009-11-23 01:32 · Score: 0

Please somebody use something like this attack to upgrade all the IE6s left! Thank you.
I never said it would be easy ... by Zero__Kelvin · 2009-11-23 02:57 · Score: 1

"Along with most of the others replying to you I believe such an action would be pretty close to suicidal for any business operating on-line."
People don't tend to reply on Slashdot with "Yeah man ... what he said". We have a mod system to discourage that.

I never said that the problem can easily be solved with nobody making sacrifices. When you are the battered wives of the high tech world and you finally wake up to the fact that you chose the wrong relationships; when you realize that the relationships are never going to be loving and mutually beneficial, and finally accept that "things are going to be different this time; I'm going to change ... really" is a forever empty promise, you either continue to endure the abuse or you change your behavior .

Taking the kids to the shelter sucks, but your lives won't get better without sacrifice. The sacrifice will be much less if you all work together toward a common goal, and it would help if one or more people in a position of power take a stand on your behalf.

I left my abusive relationship with Billmer years ago, and I wish you well should you choose to make the same decision. I have never met a battered wife who, years later, didn't say that the best choice they ever made was "biting the bullet" and making the sacrifice that ultimately resulted in them being happy, joyous, and free.

--
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Chrome Frame by MikeFM · 2009-11-23 06:11 · Score: 1

I'm gonna use this to force Google Chrome Frame to install.

--
At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
good analogy! by Anonymous Coward · 2009-11-23 09:14 · Score: 0

that 12 y.o. car, if it's a typical unibody, has probably lost 50% of its structural strength due to corrosion, & will fold up like paper in a good crash, just like iXploder;-)
An open source idea by Anonymous Coward · 2009-11-23 11:21 · Score: 0

Now how to use this to install FireFox and upgrade IE on unsuspecting IE6/7 users?
titti by thisispurefud · 2009-11-23 19:36 · Score: 1

Mitigating Factors: Internet Explorer 8 is not affected and Protected Mode in Internet Explorer 7 in Windows Vista limits the impact of the vulnerability.