New Critical Bug In All Current Windows Versions

Trailrunner7 writes "Microsoft is warning its users about a dangerous flaw in the way that Windows handles certain MHTML operations, which could allow an attacker to run code on vulnerable machines. The bug affects all of the current versions of Windows, from XP up through Windows 7 and Windows Server 2008. Microsoft issued an advisory about the MHTML vulnerability, which has been discussed among security researchers in recent days. There is some exploit code available for the bug, as well. In addition to the advisory, Microsoft has released a FixIt tool, which helps mitigate attacks against the vulnerability in Windows."

Knowledge Base containing Fixit Link

[Nuisance]

Would be nice to have seen these in the article...

http://support.microsoft.com/kb/2501696

Re:Knowledge Base containing Fixit Link

[icebike]

Perhaps also useful would be a hint that simply avoiding Internet Explorer would provide all the protection from this bug that is needed.

Re:Knowledge Base containing Fixit Link

[BadAnalogyGuy]

Actually, since most 3rd party browsers use the IE rendering engine, they would be at risk as well.

Re:Knowledge Base containing Fixit Link

[CastrTroy]

I can't think of any serious browser that uses the IE rendering engine. Firefox, Opera, Chrome, and Safari all use their own rendering engines. That covers 99.999% of all browsers in use.

Re:Knowledge Base containing Fixit Link

[parlancex]

Many applications that display embedded HTML would be at risk. Those applications include Steam, MSN Messenger and others, etc.

Re:Knowledge Base containing Fixit Link

[santiagodraco]

No kidding. But hey, Microsoft just wants liability protection. They don't give a shit about actually giving users the data they need to protect themselves if it means tarnishing their image.

They know you can't replace Windows, but you can easily replace IE, hence it's a "Windows" problem.

Re:Knowledge Base containing Fixit Link

[EvilIdler]

Steam uses WebKit now, so no problem there. MS products are of course always at risk while there are vulnerabilities in the IE engine.

Re:Knowledge Base containing Fixit Link

[Zuato]

The major third party browsers do not : Firefox, Chrome, Opera.

Outlook, Outlook Express, and Windows Live mail are also impacted by this unless you have IE locked down tighter than most users would have.

Re:Knowledge Base containing Fixit Link

[fragMasterFlash]

What about Outlook? Can this exploit be triggered by code embedded in an email?

Re:Knowledge Base containing Fixit Link

[TheLink]

Uh that's all the data most of their users need. Most of their users want a simple "FixIt" (that's how they often get into trouble in the first place, but that's not MS's fault). Most of these users aren't going to even know about this problem though. They'll only get a fix if MS ever releases it in a Windows Update and they have Windows Updates enabled.

As for the rest of the users who actually care to know more: https://www.microsoft.com/technet/security/advisory/2501696.mspx
The very few who are that interested can find out even more details themselves.

So it's inaccurate to say MS doesn't give a shit about this problem.

Re:Knowledge Base containing Fixit Link

You can avoid it as much as you want, because Windows won't. There are shitloads of apps that require and use IE and bits of the HTML rendering engine.

Re:Knowledge Base containing Fixit Link

[weicco]

You mean like simply avoiding Linux would be enough protection to avoid all of these?

Re:Knowledge Base containing Fixit Link

Difficult to do - just using Firefox isn't enough. IE gets used in software from Outlook to Google Earth, so you often don't realise you're using it.

Re:Knowledge Base containing Fixit Link

[ais523]

According to Microsoft's security advisory, you can trigger the bug like that but Outlook's security settings are too locked down for it to actually be exploitable there.

Re:Knowledge Base containing Fixit Link

Until one of your applications uses IE as an embedded browser. Or IE gets launched as a default browser by some application that doesn't care about your settings. Or you encounter a website which only renders properly in IE.

tl;dr: shut the fuck up

Re:Knowledge Base containing Fixit Link

NO!

People always say that - "Oh I use OffByOne so nothing will get me."

IE is part of the OS. It always needs patching whether or not you use it, and whether or there are (currently) exploits which don't actually use the browser.

Re:Knowledge Base containing Fixit Link

support.microsoft.com is down, at least from the Netherlands. I'm running Ubuntu, but would like to know what to expect Monday at work.

Re:Knowledge Base containing Fixit Link

[johnwbyrd]

Oh look, someone on Slashdot is flaming Internet Explorer and gets +5 for it. How novel and refreshing.

Re:Knowledge Base containing Fixit Link

[hidave]

I tried Firefox once. It wouldn't run some videos. Also IE has a little button in the lower right hand of the screen that I can easily magnify the view. Very useful and not available in Firefox. After two days, I went back to IE.

Re:Knowledge Base containing Fixit Link

[hidave]

About two years ago, after one of the regular MS auto updates, Outlook quit working. I did a system restore, which didn't help. So I reinstalled Office and Windows from the original disks, but that didn't help either. I've had to use Widows mail since then, which of course isn't as good. No one online had any suggestions that worked. Possibly someone reading this will have had the problem and got it fixed. Help.....

Re:Knowledge Base containing Fixit Link

[lul_wat]

Use Thunderbird instead?

Re:Knowledge Base containing Fixit Link

[Ol+Olsoc]

Correct, run CCleaner on your drive, and see how much is stored in your IE cache. Even if you never ever open the program on purpose.

Re:Knowledge Base containing Fixit Link

[Tenebrousedge]

Hidave, it sounds like you have some PEBKAC issues. It is recommended that you wipe your system with a liveCD and start from scratch (installing windows, then office etc). Assuming the data on your discs are still intact, this should return you to a working state. Otherwise, download a new windows ISO and go from there. Your system will probably be pwned thirty seconds after you connect it to the internet, so delay that step until your system has its bum-cover (AV) on.

You have learned why backups are important: they let you return to a known-working state. Once you have a working system again, make one. You may also have learned something about trusting microsoft updates, but I doubt it.

Firefox has a keyboard command to increase text size. Keyboard commands are generally faster than GUI elements, but YMMV. The cool thing about firefox though is that there are add-ons so you can enhance that sort of functionality. There is an add-on to give you a GUI button to zoom. Also, Adblock Plus is indispensible, NoScript is highly recommended, and Firebug is essential for web development.

There's nothing quite so pathetic as an entrenched Windows user. Its flaws engender hopelessness and despair, for what alternative action can be taken? "Why?," the user asks, "Why is this happening to me?" Well, not that we blame you for your past indiscretions, but here's a nickel.

Re:Knowledge Base containing Fixit Link

[DaVince21]

Steam has been using WebKit since a few months now, and more applications are following the trend. (Not MSN Messenger though, of course.)

Re:Knowledge Base containing Fixit Link

[weicco]

Heh. I'm a flamebait by simply changing one product to another. But to be honest, I was expecting such moderation much earlier :)

Investing

[cosm]

Can I just say that now is probably a good time to invest in the tech industry. Since /. has redesigned the site, I believe productivity levels in the industry will be on the rise due to the number of commenters leaving in droves.

Re:Investing

I'd mod you up but moderation is broken on opera

Re:Investing

Well I was wondering about the new site. It sure is schmantcy, but its also slower. Here I thought the new Nvidia drivers would suddenly make things super-duper fast, and whammo, slashdot redesign sucks that speedup right out of the box and then some. Oh well, I can always pretend its 1983, and I'm on my Vic-20 instead of my CoreI7-920.

Re:Investing

[lowlymarine]

Clearly it's just your horribly dated hardware. Everything's fine on my i7-2600k, time to get with the times grandpa!

Re:Investing

[artor3]

And I'd mod you down, but doing so would make my post (and all other child posts) invisible as well. Heck, since you posted as AC, odds are no one will ever know this post was here.

Re:Investing

[Antisyzygy]

I'd mod you down for using Opera, but ator3 already mentioned why I can't.

Re:Investing

Why mod me down for Using Opera? It was the ONLY browser in which /. could render properly before the redesign fuck up.

Now inline commenting and moderation is fucked up, All they want to do is create a site for "people that use Safari browser".

Slashdot is death, suck it

Re:Investing

[Culture20]

Assuming you're using the javascripty version of Discussion2
Take a look at your process list. Your browser is eating at least one of your cores. open a few more /. windows. Feel the burn. My single core machine was dying with just one window open. I had to go back to Discussion1 and flag /. with noscript. http://slashdot.org/users.pl?op=editcomm

Re:Investing

[Zelgadiss]

I quite like the new site actually, it's clean and seems less buggy then the old one.

While it had some bugs when it was release, most of them appear to have been fixed.

The only issues I have with it is the mobile version, text is too small, and quite a few rendering glitches (over-lapping text, title of top post getting clipped).

Re:Investing

[dave562]

I would reply to this, but if you were to reply back to me, I would have to drill down through a whole slew of posts to find what you wrote. Where as previously I could just go to http://slashdot.org/~dave562/comments and then click on the comment you replied to. It would bring up a nice, EXPANDED tree view of the discussion thread.

One step forward, two steps back? Ah hell, who am I kidding. We all know that three steps were taken, but they were all in the same direction.

Re:Investing

[Cthefuture]

Is it just me or does the front page not show the number of comments any more? I really liked that and now it feels weird.

Any way to turn it back on?

Re:Investing

[seifried]

I think they've "pulled a Digg"

Re:Investing

I liked that too.

I also liked the ability to do basic slashdot stuff WITHOUT HAVING TO FUCKING ENABLE JAVASCRIPT!

Re:Investing

[WrongSizeGlass]

Now inline commenting and moderation is fucked up, All they want to do is create a site for "people that use Safari browser".

I see they finally got my letters! Yay Slashdot!

Re:Investing

[icebraining]

Classic version ftw. It doesn't use more than 6-7% of one core (AMD AthlonII X4 620).

Re:Investing

[DAldredge]

I would mod you up but /. hasn't given me mod points for 3 or 4 years.

Re:Investing

[melikamp]

Nah. Now people will waste even more time trying to fix the bugs with Stylish hacks like these:

One-liner contrast:

#comments .oneline {background: #F5F5F5 !important;}
#comments .oneline p {color: Black !important;}
.oneline .commentBody {color: Black !important;}

Highlighting friends:

span.friend {
border-style: groove;
border-width: 2px;
background-color: #32CD32;
}

span.friend > a:link {
color: black !important;
margin-left: 1em !important;
margin-right: 1em !important;
}

Re:Investing

[rudy_wayne]

Why mod me down for Using Opera? It was the ONLY browser in which /. could render properly before the redesign fuck up.

Now inline commenting and moderation is fucked up, All they want to do is create a site for "people that use Safari browser".

Slashdot is death, suck it

Every since the "new design" displaying posts has been fucked up. In Firefox, my normal browser, a small bit of the far left of each post is cut off. Ironically, I decided to try Internet Explorer (v8) and I am writing this reply in IE which displays the "new" Slashdot better than Firefox.

How interesting.

Re:Investing

[ColdWetDog]

Hang in there Anitsyzgy - I was in the same place then last week - poof - mod points. All week. Now you get 10 of the stupid things.

Kinda like dingleberies - they hang around and are hard to get rid of. You're probably doing better posting than moderating anyway.

Re:Investing

[EvilIdler]

For the past year and a half I've been getting mod points as soon as the previous bunch expired. It's bordering on annoying :)

Re:Investing

[PitaBred]

While I'm running an H.264 transcode in the background (which uses 100% CPU) and still surfing Slashdot, and it is running fine. But then again, I'm using the FF4 64bit nightly build.

Re:Investing

[DeathFromSomewhere]

Currently using 3% CPU, not once did I see it go above 10% while posting this (running various shit in the background). Chrome stable on Windows 7. Maybe it's time to upgrade?

Re:Investing

[Tacvek]

Nice thanks. I actually did better than highlighting friends, and restored the original icons, while ensuring the icons still function as a link.

In case anybody finds it interesting: https://gist.github.com/801524
(Sorry about Gist's syntax highlighting making it hard to read, but you can click the raw link for the formatted text.)

Re:Investing

[SadButTrue]

This 0-day is an IE flaw so maybe ./ isn't worth the risk?

PS ./ works fine in Chrome too...

Re:Investing

[Mr.+DOS]

Sorry, but the 10 mod points is because you've been singled out (check the question “Why do I have 10 moderator points instead of the usual 5?” under Comments and Moderation), not because of the new design.

Re:Investing

People leaving in droves affects comment numbers. Best not to advertise it on the front page :)

Re:Investing

[Maow]

I'd mod you up but moderation is broken on opera

I'd mod him up, but reading is broken on Firefox.

Re:Investing

[dbIII]

For one thing I intensely hate how the sidebar on the left obscures a few columns of article and comment text until about 4/5 of the way down the screen on firefox FFS. If they can't get it right for the current firefox on linux (and I'm assuming other platforms) then where does it work? Is this an iPad only site at the moment?

Re:Investing

[ikkonoishi]

I must be a moderating god because I get mine in chunks of 15. O_o

Yes. The power! Its going to my head. I am the mod god! Its me!

Re:Investing

[melikamp]

Very nice. I actually made a mistake: Black should be black. It works, but it's not kosher.

And after much cursing, I managed to kill the box on the left:

div.col_1 { display: none !important; }
section#firehose { margin-left: 0 !important; }
section#comments { margin-left: 1.5em !important; }

Re:Investing

[uvajed_ekil]

You're right, I'm not seeing the number of comments, either. I liked having it - I knew instantly if there was a big buzz about something, or if taking time to throw in my two cents might matter for a stalled thread.

Re:Investing

[nmb3000]

It's so frustrating how correct you are. I used to enjoy reading comments to a story, but now it's essentially impossible because of how BROKEN the scrolling is (at least in Firefox and IE). Scrolling using the mousewheel is slow as hell and when using the keyboard it's very unresponsive. That and the new style is hard to read and has too much whitespace. I feel like I'm staring at a lightbulb trying to read gray text.

For me this redesign has just demonstrated why I hate web 2.0. You are held hostage at the whims of moron marketing people and crappy devs like those behind the driving force of this redesign. It serves absolutely no meaningful purpose, is worse than the previous design, and everyone hates it. As you noted, fewer people are commenting, and if it doesn't improve people won't come back.

Taco - Why can't you wait until you have something that's actually better than the previous version before releasing this crap on us? Or do you not have a dev/staging system in place and this is your way of testing it? Waiting for people to come up with Stylish hacks to fix your useless and broken CSS? Just wondering.

Re:Investing

[HJED]

Work fine (if not faster) for me in FF on Ubuntu.

Re:Investing

Works fine for me on FF 3.6 on Ubuntu. In fact it feels faster.

Re:Investing

[Rick17JJ]

As I am typing this, it says there have only been 92 comments, so far. I have been wondering where all the comments and replies went. Do I just did not know how properly use the new version of their website to see all of the comments that might possibly really be hidden somewhere there?

Even when I click on various comments, I am not usually not finding many additional replies hidden beneath that comment. I am only seeing a tiny fraction of the amount of comments and replies that I had normally been seeing on Slashdot.

I had also been thinking that my computer was somehow blocking most of the comments. So, I had the NoScript extension for Firefox enable scripting for Slashdot under Firefox, to try to see what I was missing. But, that did make any obvious difference. Clinking on the "Get More Comments" button also did not not seem to help.

Earlier today, I tried viewing Slashdot with a Windows computer instead of my Linux computer to see if more posts would appear there, but they did not. Am I somehow not seeing most of the comments? Are there really so few people using Slashdot today?

Re:Investing

[Linker3000]

I'd mod up too, but I am not here any more. Seriously, any change takes a while to get used to, but the new site design is an epic fail of Digg proportions. I have now added an RSS feed to /. on my phone and that's pretty much as far as I get with /. now.

Re:Investing

As I am typing this, it says there have only been 92 comments, so far.

Well, I dunno what's going on. Because as I'm posting this it says there are only 50 comments, with none hidden.

Re:Investing

[migla]

And I'd mod you sideways if there was that option and if I could see any plusses and/or minuses on the metamod page, so that I could metamod and maybe get some modpoints.

Re:Investing

[MartinSchou]

Let's see. I'm running Opera 11 on OS X 10.6.6 on an iMac from 2008 (2.4 GHz Core2Duo, 2 GB RAM), and Opera is using less than 1% CPU.

Activity Monitor is consuming more space than Opera, and Slashdot isn't the only site I have open.

I'm thinking it's a very localized problem

Re:Investing

[Sponge+Bath]

./ needs an online FPS called Mod Arena where people with mod points can wager them in virtual combat. The winners can then sculpt discussions in their own Mod God self image. For instance you could mod up all posts about Lord of the Rings as "+1 Super Cheetos Cool" and mod down all Star Wars posts as "-1 Decaying Franchise".

Oh, yeah. To stay on topic: Windows has security problems.

Re:Investing

[Securityemo]

So do I, actually. I wonder what the actual statistics are for mod point allocation?

Re:Investing

[Securityemo]

On the other hand, just making all posts above -1 visible and plowing on through seems easier now. That's what I'm doing ATM anyway.

Re:Investing

[jambarama]

Hopefully they learn somewhat from digg and redesign in a faster less buggy & controlling way.

Re:Investing

Anon because I modded this thread, but killing div.col_1 and filling that space in with div.col_2 (removes the sidebar and expands the comments to full width) has helped a bunch, too:

div.col_1
{
display:none !important;
}

div.col_2
{
margin-left:-120px !important;
}

Re:Investing

But here's the thing, I have the copyright for the two symbols / and . when used in unison( /.) acronym. NOT! They refused to mod up anything I've ever said and won't even post my comments.. NOT to be concerned..

Re:Investing

[ColdWetDog]

Two moderators enter! One moderator leaves!

Re:Investing

[Culture20]

Maybe it's time to upgrade?

No, it's time for /. to fix its slashcode. Not every laptop/netbook out there has dual cores or greater yet. I didn't even try the new interface on my phone, but I have noticed that even the classic interface is slower on my phone with the new graphics, and when in horizontal aspect, the stories remain "vertical" with a big gray emptiness on the right side. /. has become severely buggy.

Re:Investing

[FragHARD]

I would have modded him up too.... but I just had to get outta here qik.

Re:Investing

[Ephemeriis]

everyone hates it

I actually kind of like the new design.

I used to enjoy reading comments to a story, but now it's essentially impossible because of how BROKEN the scrolling is (at least in Firefox and IE). Scrolling using the mousewheel is slow as hell and when using the keyboard it's very unresponsive.

Scrolls just fine for me in Firefox 3.6.13 (which I use at home) and Firefox 4.0b10 (which I use at work) and IE7/IE8 (also used at work).

That and the new style is hard to read and has too much whitespace.

Hadn't really noticed any real change in readability.

My only real complaint would be seeing replies to my comments. Used to be the email you got provided a link directly to the reply, now you have to drill down through several layers of comments to see what was said. That's genuinely annoying. But not crippling.

Re:Investing

[DaVince21]

8 Slashdot tabs open, Chrome is taking up near 0% CPU. That goes up when I scroll on the page, but that goes for all pages. Not sure what's wrong with your system or browser, but it sounds like a browser bug more than /.'s new design.

Re:Investing

[monkeythug]

I don't know if anyone's mentioned it yet, but I used to quite like the mini-comments view that gets embedded in the RSS feed. This is completely borked since the redesign, at least on Google Reader.

As for the rest - for me its all a bit Meh. What have they actually done that took all the time - changed the colour scheme and moved a few elements around? There are all sorts of functional changes and enhancements that would have been a lot more useful.

Which versions

[bvimo]

WTF is a current version of Windows? 3, 95, 98, Me, 2000, XP??

Re:Which versions

[postmortem]

WTF is a current version of Windows? 3, 95, 98, Me, 2000, XP??

Versions that are still supported actively, which are Windows XP SP3 and newer.

Re:Which versions

[bvimo]

Thank you.

Re:Which versions

[PatPending]

Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 1 and Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2**
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2**
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems**
Windows Server 2008 R2 for Itanium-based Systems
Source: http://www.microsoft.com/technet/security/advisory/2501696.mspx
Appears to apply only to Internet Explorer

Re:Which versions

[The+MAZZTer]

Umm it's right in TFS.

from XP up through Windows 7 and Windows Server 2008

Re:Which versions

[PatPending]

Why should he have to read TFS when there are fools (like me; see my earlier reply and my sig) who post informative replies? ~

Re:Which versions

WTF is a current version of Windows? 3, 95, 98, Me, 2000, XP??

It's the version with all the raisins in it.

Re:Which versions

[stoborrobots]

Appears to apply only to Internet Explorer

And anything else which uses the MHTML component, which includes many, many applications, including anything which uses the "Windows Help" system...

Re:Which versions

[WorBlux]

Anything that is still officially supported (XP service pack 2, and Windows 2000 aren't, anything newer is)

Re:Which versions

[Korin43]

Ha! And they said I should stop using Windows 98!

Re:Which versions

[SadButTrue]

Ohhh!!!! There is a help system in windows? I did not know that.

Re:Which versions

[jez9999]

So does this bug not happen on XP SP2, or do they just not give a shit about users who're using it?

Re:Which versions

[Flipstylee]

It was a mis-typed headline i believe, funny how one letter can muck things up. I think it should have read "New Critical Bug IS All Current Windows Versions".

Re:Which versions

[1u3hr]

It doesn't mean that non-current versions are safe, just that they didn't bother to test them. So just assume it's every version. Or if you don't use IE, no version.

Re:Which versions

[WorBlux]

They just don't give a shit. I believe it's goes back from IE 3 or 4 when they first did MHTML

Re:Which versions

[Drgnkght]

Don't get too excited. It isn't actually helpful.

Is it Windows or Internet Explorer?

[Luxemburg]

I would assume Firefox handles its MHTML itself?

a

Re:Is it Windows or Internet Explorer?

[JSG]

Try using a search engine with the term MHTML and getting something like this: http://en.wikipedia.org/wiki/MHTML

On FF you'll need a plugin to "see" MHTML, whatever it is. It seems to be an unholy mix of HTML and MIME and sounds unpleasant and probably a bit unnecessary.

Cheers
Jon

Re:Is it Windows or Internet Explorer?

[Saint+Stephen]

Nothing really works with .mht anymore, anyway. I used to use it to save web page receipts, etc. no more.

Re:Is it Windows or Internet Explorer?

It can affect firefox as well if you use IE frame.
The scary part is that the exploit for this bug it out in the wild

Re:Is it Windows or Internet Explorer?

[cbiltcliffe]

Well, that does look like it's going to be a pretty wide open security hole..... :-/

Re:Windows is still great.

[JSG]

You don't remember {MS|PC|IBM}DOS do you?

It should be possible to sue for time wasted trying to get 620Kb free memory available to run some shitty Lucas Arts game (or a crappy network stack n client).

Before the "I had a few problems with punch cards" mob dives in - no one ever said that a batch system based on paper doilies would be easy.

Cheers
Jon

Re:uhh

[hairyfeet]

Hi MR AC! If you would have read TFA or even TFS (I know I know, but I got bored) you would see they provide a link to The MSFT "fix it for me" page for this problem. Just click on "fix it for me" run the fix it, and that's it. Don't even need a reboot.

I'm sending the link to my customers and family now, and since it makes a restore point before applying it is easy to undo if you need to, although with previous "fix it for me" tweaks that I've run the MSFT patch released later took care of the fix it tweak before applying the patch.

So I don't really see why you or anyone would complain about this one. They have a quick fix that is so simple your grandma can run it, and released the fix quickly to tide people over until they have worked up a patch. I don't see how they could have done any better on this, as a full patch will take time to test and rightfully so as you wouldn't want MSFT releasing patches that break apps and/or drivers and cause more pain than the bug would you? This is easy, simple to apply, and painless to deploy. I don't see how you can get better and the guy that came up with the "fix it for me" program really deserves a raise and company car, as it really has made these fast released workarounds painless for home users..

that ho on the corner still feels good!

the john and pimp defend their prostitutes to the bitter end.

Microsoft takes 2 weeks to confirm things

http://www.80vul.com/mhtml/Hacking%20with%20mhtml%20protocol%20handler.txt

Re:Microsoft takes 2 weeks to confirm things

Microsoft takes 2 weeks for everything.

Incorrect Article Title (Headline)

[lloyddean]

Who writes these Headlines. It's not a NEW bug it's an (possibly) un-noticed OLD bug.

Re:Incorrect Article Title (Headline)

[JSG]

Well Mr six dig, RanDomCapS 'n' punctuationeer extraordinare - who can say?

Apparently someone called Timothy left their name on the article for all to see.

This: https://www.microsoft.com/technet/security/advisory/2501696.mspx

was posted 28 Jan 2011.

When did you notice the bug? - We'd all love to hear your insights on it.

Cheers
Jon

Re:Incorrect Article Title (Headline)

I suppose when someone discovers fossilized bones, that's a NEW dinosaur then ...

Re:Incorrect Article Title (Headline)

[seifried]

The bug was noticed about 2 weeks ago: http://www.80vul.com/mhtml/Hacking%20with%20mhtml%20protocol%20handler.txt

Re:Incorrect Article Title (Headline)

[disambiguated]

I'm tempted to say yes. If the dinosaur was previously undiscovered, it wouldn't be unclear to say "scientists discover a new dinosaur."

Re:Incorrect Article Title (Headline)

[lloyddean]

And I'd say it was newly discovered dinosaur. In no way could the dinosaur be described as itself new. It's the same with the article title. It should probably be written as "Newly Discovered Critical Bug Found In All Versions Of Windows".

The Reason for Window Bugs

[NicknamesAreStupid]

It goes so fast that those little buggies just can't get out of the way. Besides, they are drawn to the light.

Re:uhh

[Hylandr]

Hi MR AC! If you would have read TFA or even TFS (I know I know, but I got bored) you would see they provide a link to The MSFT "fix it for me" page for this problem. Just click on "fix it for me" run the fix it, and that's it. Don't even need a reboot.

I'm sending the link to my customers and family now, and since it makes a restore point before applying it is easy to undo if you need to, although with previous "fix it for me" tweaks that I've run the MSFT patch released later took care of the fix it tweak before applying the patch.

Oh I so trust Microsoft to not have any ill intentions regarding previously undocumented operations. And remember those disgusting and insulting commercials from MS for the "release party" for the latest os? Yea the above quote doesn't smack of that at all...

From the Software company that still refuses to acknowledge Back Oriface was a threat to "Here, take this pill trust us" .

F You Microsoft.

- Dan.

Really not an issue...

[steeleyeball]

Not a problem for my Vic 20 or my Linux powered Acer Aspire REVO Nettop.

Re:Really not an issue...

[by+(1706743)]

Not a problem for my Vic 20 or my Linux powered Acer Aspire REVO Nettop.

Fullscreen flash, on the other hand, probably is ;)

Re:Really not an issue...

[Osgeld]

I am sitting on my DEC 386 laptop thinking the same thing, then I thought, fuck this takes less time to scroll through comments on the /. site than it does on my uber modern web browser on a multicore 2.8GHZ computer

so what the fuck is my incentive anymore people?

Re:Really not an issue...

[steeleyeball]

I don't have any real problems with Full Screen Flash on my REVO... Flash Videos generally play smoothly.

Microsoft has released a FixIt tool

Linux /obligatory

Re:uhh

Wow. What a sorry ass faggotty little cock sucker you are. Mommy will come rub your penis to make you feel better.

Re:uhh

[tqk]

Hi MR AC! If you would have read TFA or even TFS ...

Well, some of us don't fscking care. WTF is MHTML?!?

(0) phreaque /home/keeling_ dict mhtml
2 definitions found

From Virtual Entity of Relevant Acronyms (Version 1.9, June 2002) [vera]:

    MHTML
              Messaging HyperText Markup Language (HTML)

From Virtual Entity of Relevant Acronyms (Version 1.9, June 2002) [vera]:

    MHTML
              MIME [e-mail encapsulation of aggregate documents, such as] HTML (MIME,
              HTML, RFC 2110)

Holy boring, Batman.

Yawn... Slow news day?

[mysidia]

The bug's not new... in multiple editions of Windows; that means it's been around for quite a while.

Newly discovered, yes, but in the average month there are over 20 serious newly discovered bugs in Windows. And there are millions more where that came from.

Re:Yawn... Slow news day?

[PPNSteve]

The bug's not new... in multiple editions of Windows; that means it's been around for quite a while.

Newly discovered, yes, but in the average month there are over 20 serious newly discovered bugs in Windows. And there are millions more where that came from.

It's not a bug! It is a FEATURE!!
Get with the times, man.

Re:Yawn... Slow news day?

[mysidia]

It's not a bug! It is a FEATURE!! Get with the times, man.

No... it's both a bug and a feature.

In Windows parlance... some features are bugs. All bugs are features.

What the f*ck is MHTML?

Filter error: You can type more than that for your comment.

Re:What the f*ck is MHTML?

[snookiex]

I hate those .mht files. I thought they weren't a standard, but turns out that that format is a kind of.

Re:uhh

[hairyfeet]

What EXACTLY is wrong with system restore? I've found especially with my click happy love to install software customers and relatives having a "quick undo" button comes in damned handy! Now of course system restore is in no way shape or form a substitute for backups, which is why I have them set up with weekly differentials and full backups monthly on USB HDDs, but you can't expect them to run a differential every time they want to try something new.

And who cares about "gigabytes" of anything anymore? Hell the lowest machines I sell have 500GB HDDs and even the kids P4 hand me downs have 400Gb drives, so why would anybody care? It isn't like huge drives are expensive.

So I really don't see what the problem is with system restore. For a quick undo button it works just fine, with huge drives worrying about 20-50Gb being reserved for system restore is frankly pointless when everyone has more space than they know what to do with, and when used with a combination of good AV, weekly backups, and a lower risk browser like Firefox or Chrome with ABP it does just what it should do, which is provide a quick way to roll back changes if something goes wrong. So what EXACTLY is so bad about it, because frankly I haven't seen a problem with system restore since XP SP2 came out.

Re:uhh

[LordLimecat]

Because its reliability is spotty at best, its a haven for viruses (super-duper-hidden System Volume Information ftw!), and you never know what it will and will not break.

Re:Not the exploits fault

[disambiguated]

I think you meant ActiveX. ASPX is a server-side technology; I doesn't require browser support.

Someone call teh ROFLCOPTER

[Crypto+Gnome]

MSIE just shot itself in the foot.

MHTML is a microsoft-ism

If you do not use the worlds-most-villified-browser, and if you have also not explicitly installed a plugin (or otherwise) to enable MHTML support in our *much less sucky* browser, then you are golden.

Re:Someone call teh ROFLCOPTER

It appears they are just like slashdot, No fucking clue whatsoever

Re:Someone call teh ROFLCOPTER

[shutdown+-p+now]

Opera also supports MHTML.

Google Chrome

[satuon]

This makes me glad I use Google Chrome. As well as the speed, of course.

Re:Google Chrome

[VortexCortex]

This makes me glad I use Google Chrome. As well as the speed, of course.

Who doesn't use "the speed"; I agree, using it makes everything better -- Just don't get too addicted. However, Chrome is overrated, IMHO; Mirrors work just as well.

monolithic system

[amn108]

Goddamned monolithic systems... Insecure components breaking entire installations, where the components themselves are not used more than once a year perhaps. Way to go, Microsoft, seems you're religious about all of it.

Why don't you link to the Microsoft adisory?

[Otis_INF]

Now you link to some blogpost/article on some random site, which only rehashes what Microsoft's own article at teched has to say as well..

Link to direct advisory:
https://www.microsoft.com/technet/security/advisory/2501696.mspx

Finally!

[StripedCow]

Now we can finally run native code in a mainstream browser?

Summary Misleading

The summary states, "which could allow an attacker to run code on vulnerable machines," however both the linked blog and the advisory from Microsoft both clearly state that this is an XSS vulnerability that could lead to Javascript being executed within the browser in the context of the current web site. This is an information disclosure vulnerability, not a remote code execution vulnerability.

Re:uhh

[hairyfeet]

Citation please? Because both Comodo (which I prefer for the click happy) and MSE (which I prefer for the "just check their email" types) routinely scan system restore points and will delete them if a bug is detected. And as for system restore breaking anything? I honestly haven't seen any behavior of the sort, both in customers or family, since XP SP2 came out. As a SOP before having them restore from a backup I have them attempt a system restore rollback and frankly as long as there is a point before the error I haven't seen it fail yet, hell with Win 7 you can even run system restore using the DVD if for one reason or another the machine won't boot.

So unless you've got current citations of some widespread problem I haven't heard about I'm gonna have to say you're going on old info, right up there with "Windows suffers from lots of BSODs" (not unless you have seriously flaky drivers or hardware, and in Win 7 not even then) "ATI drivers suck in Windows" (IME not since AMD bought them, everything after that runs as well as Nvidia) or the classic "All AMDs run too hot" (not since the old Athlon XPs, most of their chips are 95w or below now).

I'll be the first to admit the first gen system restore sucked and suffered from what you describe, but then again it was on WinME which was a mistake all around. Once XP became the mainstream with SP2 all the AV companies simply added scanning to sysvol which took care of the "restoring a bug" bit, and if you are running a good AV (like those mentioned above) frankly you shouldn't be able to get a bug in the first place without PEBKAC intervention. And also since SP2 the tech around system restore has matured to the point it "just works" and as I said I have clients and family as well as myself on both XP and Windows 7 use it and I've yet to see a problem caused by using system restores.

Hard drives are big and cheap, it doesn't use CPU unless it is making a restore point which with triples and quads so cheap most of the people I deal with have plenty of cycles to spare and even the kids hand me downs are Pentium duals, and it is certainly quicker and easier to use a system restore than have to restore from a full or differential backup, so what's the problem?

Re:Windows is still great.

[catmistake]

nice. LOL

Amazing...

[WaffleMonster]

I continue to be amazed by all of the crap that can be invoked within your browser upon demand by the operators of any web site on the planet by default.

There are browser security bugs..but they seem to be just the tip of the iceburg. Most of this extraneous crap most can live without but it is still there for anyone with some spare time to expliot regardless.

Re:uhh

[camperslo]

Since MHTML is a web archive format that is also used by MS Word, perhaps there's a possibility of issues there too.

Since the article/advisory don't really say what MHTML is (It's not Microsoft HTML!), here's the wikipedia description for those not motivated to look it up:

"MHTML, short for MIME HTML, is a web page archive format used to combine resources that are typically represented by external links (such as images, Flash animations, Java applets, audio files) together with HTML code into a single file. The content of an MHTML file is encoded as if it were an HTML e-mail message, using the MIME type multipart/related. The first part of the file is normally encoded HTML; subsequent parts are additional resources identified by their original URLs and encoded in base64. This format is sometimes referred to as MHT, after the suffix .mht given to such files by default when created by Microsoft Word, Internet Explorer, or Opera. MHTML is a proposed standard, circulated in a revised edition in 1999 as RFC 2557"

One gripe I have about the story as posted here, which is NOT a problem in the linked article or advisory, is calling the bug NEW. While a particular researcher discovered it recently, it is not safe to assume that no one else knew about it. This affects XP, meaning it could have been used anytime over a number of YEARS. While it's easy to only raise eyebrows over issues actively doing widespread damage or causing net congestion, it is always possible that someone else out there has discovered an issue and has written code to exploit it, but just hasn't used it yet, or has kept it for focused attacks on specific targets. To an individual, organization, or government that gets hit it may not be matter much whether an exploit has seen much use elsewhere. We should not trivialize vulnerabilities by acting as if they were only a potential danger during a very brief window. There certainly are those out there who won't report vulnerabilities for fixing and have a virtual tool chest of exploits to unleash whenever they see a reason to.
A secret weapon would likely be far more effective than one a target has had time to prepare for.
Security policies should be designed to defend against unknown vulnerabilities. Being current with patches isn't enough. While OSes with a better track record than Windows don't see the mass-market exploits, that doesn't mean that their vulnerabilities wouldn't get exploited under some circumstance. Being hit by a little used or unknown exploit may actually have more impact on a target with it being less likely to be discovered.

Re:uhh

[Peach+Rings]

I don't like it because it's not clear what exactly it does. If I want to remove some application I'd only use a clean uninstaller, not some generic tool that attempts to overwrite changes to certain unspecified locations.

Re:uhh

[Hylandr]

Slashdot,

where art thou haters of Microsoft? Whence does a man calling out Microsoft get beaten like a straight man in a gay parade?

TO HELL with mod points, Microsoft bought Slashdot...

- Dan.

Re:uhh

[LordLimecat]

If you have a virus that is infecting system restore points, your antivirus isnt going to be detecting anything-- its already been subverted. If you dont understand this, then youve bought into the whole "AV will protect you from viruses, full stop" myth, and obviously havent had to deal with many infections (client or otherwise).

As for it not breaking things, it certainly is possible and Ive certainly seen it; whether that was recent is moot, as once I realized how much of a waste of time it was, I stopped using it. Every time Ive tried to use it, it has ended up not fixint the issue, where I would have been better off doing a repair installation, or manually fixing whatever the issue was (be it through MSI cleanup utility, or autorun inspection tools, or sfc scan, or chkdsk /p).

And heres the real kicker-- if i want the ability to quickly undo changes (like, im about to attempt some rather dangerous registry edits), ERUNT kicks the crap out of system restore-- it always (ALWAYS, baring fs corruption) works, can be restored offline, and doesnt use gigs and gigs of data.

You can argue that its a good alternative for home users who dont know how to do such things-- and I would concede that I have met a few people who mentioned "we had bug X, but fixed it with a system restore", but such stories typically end with "but now we have bug y, can you fix it?" At the end of the day, if i am going to be running systems repairs for friends and families, id much rather they not much around with system restores, given the potential issues that can happen if a restore fails, or breaks Norton's AV to such an extent that nothing works, or trashes something unexpected.

So maybe for someone who has noone to help them out on the technical side of things, it is a boon; but I cannot see a SINGLE scenario where I would not be better served with either
A) fixing the issue by hand
B) reinstalling the operating system
C) just set up ERUNT on all of my computers and use that instead

Re:uhh

Whence does a man calling out Microsoft get beaten like a straight man in a gay parade?

When said man acts like a "faggotty little cock sucker", is when.

Re:uhh

[hairyfeet]

Uhhh...you DO know that you can have an infected file that isn't active yes? That most of the malware today use social engineering and are Trojan based, which means the user has to launch it first to cause an infection? As for AV the last tests I saw with Comodo were 98.4% and MSE something like 96.something%. So when combined with a more secure browser like Firefox or Comodo Dragon with Adblock Plus the odds are EXTREMELY low of getting a bug that the user doesn't explicitly install.

And whether it was "recent or not" is anything BUT moot as trying to base assertions on things you saw 7 or 8 years ago is FUD, no different than saying "Windows uses DOS!","Macs can't multitask!" or "Linux is a hobbyist OS built in Linus' basement!" because while those statements were true over a decade ago time has marched on and they simply aren't true now.

And can you please show me ANYWHERE where I said to use system restore for virus removal? Because now you are building strawmen as I NEVER said anything of the sort. I said "having a "quick undo" button comes in damned handy! " and "you can't expect them to run a differential every time they want to try something new." Now nowhere in that can you find a single word about using system restore for virus removal, in fact if you have gotten to the point you are infected the battle is already lost.

But for removal of buggy software or drivers, especially in XP where apps have a nasty habit of shotgunning system32 with DLL crap? System restore is a wonderful thing to have. And the fact that you refuse to say whether your experience is recent or not (hell you could be talking WinME) leads me to place your statements without citations into the FUD bin.

It just concerns people using MSIE?

[Archeleus]

In that case, who really cares? I'm pretty sure that almost none of the /. crowd uses the retarded browser in the first place.

Re:uhh

[LordLimecat]

That most of the malware today use social engineering and are Trojan based, which means the user has to launch it first to cause an infection

Youll need to cite a source for that, anecdotal evidence (the several hundred infections i deal with per year) shows that the vast vast vast majority of infections do not require such crude interaction; they rely on browser and plugin exploits to launch no-click infections.

As for AV the last tests I saw with Comodo were 98.4% and MSE something like 96.something%

No AV that I have seen has detection rates quite that high. Last comprehensive study I saw (about a year ago) showed the top contenders hovering around 81% detection on unknown binaries. MSSE is certainly quite decent, but AGAIN, if you have something dropping stuff in SystemVolume Information, it already has a minimum of administrator priveleges, and most likely SYSTEM priveleges (given the permissions on that folder). It has already circumvented whatever AV you have, and probably already patched your bootloader. This very day I had to disinfect a computer running MSSE, since it had been rootkitted, and MSSE saw no issues (nor did I at first glance, till I launched combofix).

you saw 7 or 8 years ago is FUD

I deal with computers for a living; Im an IT consultant, and do a number of jobs for friends and family. I have seen these last two years cases of system restore either only partially working, or failing, or messing things up. Regardless, I do not want them messing with the "evidence"; my job is to figure out the issue and correct it, and people making changes post-problem do not make my job easier.

And can you please show me ANYWHERE where I said to use system restore for virus removal

I do not believe I implied that; certainly such a use would fail. However, the functionality itself can lend itself to hiding viruses as it leaves a section of the drive that most are unaware of, and many programs do not have priveleges to see. And again, if stuff is getting dropped in there, you are mistaken if you think your AV picking it up means "problem solved"; you are still rootkitted.

But for removal of buggy software or drivers, especially in XP where apps have a nasty habit of shotgunning system32 with DLL crap?

DLLs in system32 are not necessarily an issue. If they are not called, they dont really do anything. Using system restore to remove buggy drivers is retarded; www.sysinternals.com has autoruns which can with 1 click disable said driver. Preface that with a registry backup with ERUNT and youre golden. No need for crossing your fingers and hoping system restore doesnt fail.

And the fact that you refuse to say whether your experience is recent or not (hell you could be talking WinME)

I wouldnt be recommending ERUNT if i was talking WinME, as that is most certainly NOT NT, and ERUNT would not function on it. I have scant experience with ME, and extensive (and ongoing) experience with XP.

because while those statements were true over a decade ago time has marched on and they simply aren't true now.

Again, I dont see how system restore does a job that is not done far better by one of the methods I mentioned. Troubleshoot the problem rather than trying to do a ghetto pseudo rollback which may or may not fix an issue and may or may not hose certain programs. Want quick reversion of changes? Use ERUNT.

Re:uhh

Whence does a man calling out Microsoft get beaten like a straight man in a gay parade?

Calling out? Looks more like you're just doing the standard 'i don't trust microsoft' spiel, doesn't appear you're calling them out on anything legitimate.

are you feeling lucky, well are you?

[hesaigo999ca]

Anyone have the link of the infected website, where i could test if my work machine is vulnerable....just kidding.

Re:uhh

[hairyfeet]

Hi Peach Rings! You don't know what it does? Well allow me to elucidate!

When you choose to make a restore point Windows first makes a backup of the registry (which is what takes a few seconds when you first choose to make a point) it then monitors the file system during software installations (which have to conform to standard conventions which is why if you want a particular installation monitored you should change the name to "setup.exe" in case they use a funky installer) and uses Volume Shadow Copy to make backups of any file the installer alters or replaces. Then if you choose to use system restore it replaces any alterations in the registry or file system with the backups, and voila! System Restore.

But this is why when you do a system restore you may find an empty folder of the original program name in /user name/programs, because system restore is monitoring for changes in the Windows and Users settings but doesn't care about simply making a new folder in programs. As I said I wouldn't recommend these instead of backups, and if you want an even more robust system (especially on WinXP) I would use Comodo Time Machine which provides a boot up recovery option AND seems to catch any and all alterations done by installers better than System Restore (and it uses VERY little resources to boot) but for a built in recovery and undo button system restore works and works quite well.