While admin is not quote as all-powerfull as SYSTEM, it does have the ability gain the permissions of SYSTEM, so it may as well be "all-powerfull".
FYI, IIS6 runs as a less priviledged account now. The more sensitve parts of it run as an account with virtually no privileges. I huge improvement over IIS5.
Also, you mentioned quickbooks. This too can be fixed easily to work for regular users by modifying a few permisions. The vendor of Quickbooks has a KB article on their website that explains how to fix it.
Uhhh. Any browser could be used to do system updates using java applet. Microsoft's just happens to use ActiveX instead of Java.
The scary part is not that people use the browser in that way. It's that people run with root-level access, which allows them to use their browser in that way.
We use UPS world ship. It ships with a little program you can run that will make it work for regular users. It's in the program directory (normally C:\ups I think). I don't remember the name of the utility and the computers I know run it are not on, so I can';t find it right now. Browse the program directory and look at the.exe files and you should be able to find it. Run it as an administrator and your users will be able to use the program without any special rights.
As for diabling IE, I can't remember the dlls. I found them by running process explorer and looking at which dlls IE used. One of them is "mshtml.dll". Deny "everyone" access to that dll and I'mmpretty sure IE will puke when you try and use it. I personally don't bother, because IMO IE is not as huge a security threat if you practice other more important secuirty practices - such as running as a non-admin, or simply choosing not to use it.
The non-admin site is not mine. I've just contributed to it.
Which is part of the window manager which according to this image from microsoft.com has been run in kernel mode since NT 4.0 (Article ref).
Yes, the "Window manager". The equivalent of that in *nix would be X, which runs also in kernel mode. Your point?
If that weren't the case, then Explorer could not hang the window manager (which it sometimes does).
Explorer does not have the ability to arbitrily "hang the Window manager" in Windows. If the system has buggy drivers or what not, the "Window manager" can certainly hang itself though. I realize that the Window manager and GDI running in kernel mode has the potential to make WIndows less reliable than other OS's, but it has nothing to do with Internel Explorer, or Explorer.
In WindowsXP you can run `wuauclt/detectnow` which causes the Windows Update client to check for updates immediately. From there you can install udpates after the little icon pops up in your system tray. This is not perfect, but it does mean you don't have to use IE. In Windows Vista the update function has it's own control panel app and updating via the browser is not possible.
"Some of the IE code is actaully running in kernel mode"
Can you define "Kernel Mode". Googling, I see this, which if is what you are talking about, tells me that you are wrong, because exploits in IE have no ability to gain priviledge higher than the user's.
These are the things I know from experience:
* Exploits that hit IE gain the priviledges of the user. Since most Windows users run as administrator, the priviledges are generally unlimited, but if the user is running as a restricted user, the exploit can not doing anything that the user can't do. This is standard for any userland program.
* IE can be completely neutered by denying access to a few key dlls. This will break certain other components of the OS, but contrary to many claims, will not cause Windows to be unusable, or unstable. Things that break when you neuter IE in this way are the help and support center (which is a glorified IE shell), and certain functionality in explorer.
Wow your so cool.. you throw in those nice alternate browser references nice and early on - sure to be modded insightful.
What's even cooler is that one of the browsers he mentions (Koqueror) is just as much "embedded into the OS" (i.e. uses shared libraries that if removed affect other userland programs) and IE.
My point rather, is that you would be more pursuasive if you brought scientific arguments to the table rather than extremist political ideology.
It was not my intention to link to sites that feature misinformation. I just did a quick Google and linked to a couple of sites that seemed to coroborate with things read/heard/seen about the nuclear winter scenario. I had never seen those sites before, and to be honest the second one did look like it was run by some kooky Mormons. As for the first one, I never looked at any other part of than the text file. I see now that it's a conservative BBS, or something like that. Oops.
I never said, nor do I belive that a huge nuclear exchange would not have a global affect on weather - only that the original nuclear winter scenarios touted by Carl Sagan were hugely overblown, and the affects would not be quite so prolonged.
After Googling more, I see that (of course!) politics have gotten into this debate. That makes it a little harder to research it because you have to wade through tons of bullshit.
next to no one would use such a steaming pile in a production enviroment!
I used it in production for almost three years as a spam box. It ran at ~90% CPU utillization all that time an never had a problem....except for the time I accidentally did `postsuper -r ALL|postfix reload` instead of `postsuper -r ALL;postfix reload`. That gave me a kernel panic.
As opposed to the mom and pop stores that stock the exact same cheap crap for higher prices. Feel free to shop at those and "stick it to the man" all you want. I'll stick to Walmart/K-Mart/Target, thank you.
I hate IE. I don't use it for many reasons - security being one of them. I've been a firefox user since 0.7 beta. I'm just not ignorant about how operating systems and their various security subsystems work.
My stated assertion was that MSIE is an integral part of the Windows OS, which means that there is an inherently unsecurable set of portals to the outside world, the browser, that is insufficiently isolated from the OS. So that exploitations of vulnerabilities in the browser can lead to such nasty infections as keyboard loggers, rootkits, and zombie processes (rather than being isolated to just messing up the browser session).
And once again, your stated assertion is wrong. An exploit in IE carries no more danger to the user than an exploit in FireFox. There have been plenty of exploitable remote code execution flaws in FireFox that if exploited could easily lead to the installation of key loggers, and other nasties. There have also been tons of flaws in other components such and flash and java that are completely browser independent. It all comes down to the rights of the user browsing the web. Exploit code that hits IE cannot install key loggers if the user does not have the right to install a key logger. The same goes with other browsers and programs. This seems to be an area that you don't comprehend. IE and the libraries it uses are userland programs that carry the rights of the user using them, and nothing more.
Good. Now then, M. Toadlife, demonstrate to me that my assertion is wrong by telling me and anyone else who reads your words how to cleanly remove IE from WinXP. Tell me how to do this in the same clean way I can remove MS Office or MS FrontPage. Or Firefox. That is, without destroying any of the other functionality like the help system, or destabilizing the OS.
Take your time. I'll wait around a while, because I'd just love it if you could show me how I'm wrong. If I can reclaim the ram, disk space, and cycles that MSIE is wasting on my machine, I'd do it in a heartbeat.
Way to change the subject. I never said anything about removing IE from the OS - because it is not necessary. You start by claiming that IE grants malware root access to the system while in the same situation other browsers don't (false), and then change the subject to the fact that the core libraries that IE make use of can't be removed from the system without breaking the help and support center. Do you make it a habit of browsing the web from the help and support center or something?
As far as resources, there are no "cpu cycles being wasted" by IE's core libraries being on your system, as they are only loaded into memory when they are needed. If you use an alternate browser like FireFox, then they will almost never be loaded - unless you like to browse the web from the help and support center or the mmc console.
There is absolutely nothing "interesting" or "insightful" about the post above. In fact, I would say by modding this post so high, the collective intelligence of everyone who has read it (and doesn't know any better) has been decreased considerably.
The author has bought into, and is dutifully spreading one of the biggest myths about Internet Explorer - that it somehow carries more rights and privileges to the OS than the user who is using it. The author also claims that firefox offers some sort of (magic?!) protection that keeps exploit code from accessing the OS. Both of these assertions are false.
If you would like to make Slashdot a better place, please click on "preferences" on the bar next to your username at the top. Then click on "homepage" and un-check the box that says "Willing to moderate".
[blockquote]MSIE was rewritten in the mid 1990s so that core modules became an integral part of the Windows OS. It is generally recognized that maintaining a wall between OS and app is good engineering, partly because it avoids many difficult security issues.[/blockquote]
Define "OS". Internet Explorer uses a set of core libraries that are also used by other components that come with Widnows, such as explorer, MMC, help, etc. This was done to make life easier for programmers, and it does what it was intended to do. Shared libraries are a common occurance in all operating enviroments. KDE and gnome both make heavy use of shared libraries and flaws in these libraries cna lead to explotation of any program that uses them. OSX (webcore/webkit I think?) also do the same exact thing.
[i]"Firefox preserves the wall between itself and the OS, and is not a superhighway into the core of the OS, the way today's MSIE is."[/i]
This is one of the biggest myths about IE. IE does not have any more access to the OS that the person running it does. The same goes for firefox or any other browser.
Slashdot Mirror
It's not about bandwidth. It's about latency.
You didn't latch onto a POTS connection, you latched onto the signal from someone's cordless phone.
"video drivers!=X (or you could say that *every* app runs in kernel mode)"
Yeah, you're right.
You will have to forgive me, as I got caught following the logic of the parent.
Thanks, I knew this.
While admin is not quote as all-powerfull as SYSTEM, it does have the ability gain the permissions of SYSTEM, so it may as well be "all-powerfull".
FYI, IIS6 runs as a less priviledged account now. The more sensitve parts of it run as an account with virtually no privileges. I huge improvement over IIS5.
Uh ? X runs in kernel mode ? Nonsense !
It's runs with root-level permisions, and the drivers run in kernel mode.
What exactly is nonsense?
Also, you mentioned quickbooks. This too can be fixed easily to work for regular users by modifying a few permisions. The vendor of Quickbooks has a KB article on their website that explains how to fix it.
Uhhh. Any browser could be used to do system updates using java applet. Microsoft's just happens to use ActiveX instead of Java.
The scary part is not that people use the browser in that way. It's that people run with root-level access, which allows them to use their browser in that way.
We use UPS world ship. It ships with a little program you can run that will make it work for regular users. It's in the program directory (normally C:\ups I think). I don't remember the name of the utility and the computers I know run it are not on, so I can';t find it right now. Browse the program directory and look at the .exe files and you should be able to find it. Run it as an administrator and your users will be able to use the program without any special rights.
As for diabling IE, I can't remember the dlls. I found them by running process explorer and looking at which dlls IE used. One of them is "mshtml.dll". Deny "everyone" access to that dll and I'mmpretty sure IE will puke when you try and use it. I personally don't bother, because IMO IE is not as huge a security threat if you practice other more important secuirty practices - such as running as a non-admin, or simply choosing not to use it.
The non-admin site is not mine. I've just contributed to it.
"By that logic, all software runs in kernelspace, because all software talks to the kernel."
Oh crap. You're right. I'm no expert, but do you think we could mitigate this risk but using an OS with no kernel?
Hurd maybe?
Yes, the "Window manager". The equivalent of that in *nix would be X, which runs also in kernel mode. Your point?
Explorer does not have the ability to arbitrily "hang the Window manager" in Windows. If the system has buggy drivers or what not, the "Window manager" can certainly hang itself though. I realize that the Window manager and GDI running in kernel mode has the potential to make WIndows less reliable than other OS's, but it has nothing to do with Internel Explorer, or Explorer.
In WindowsXP you can run `wuauclt /detectnow` which causes the Windows Update client to check for updates immediately. From there you can install udpates after the little icon pops up in your system tray. This is not perfect, but it does mean you don't have to use IE. In Windows Vista the update function has it's own control panel app and updating via the browser is not possible.
"Some of the IE code is actaully running in kernel mode"
Can you define "Kernel Mode". Googling, I see this, which if is what you are talking about, tells me that you are wrong, because exploits in IE have no ability to gain priviledge higher than the user's.
These are the things I know from experience:
* Exploits that hit IE gain the priviledges of the user. Since most Windows users run as administrator, the priviledges are generally unlimited, but if the user is running as a restricted user, the exploit can not doing anything that the user can't do. This is standard for any userland program.
* IE can be completely neutered by denying access to a few key dlls. This will break certain other components of the OS, but contrary to many claims, will not cause Windows to be unusable, or unstable. Things that break when you neuter IE in this way are the help and support center (which is a glorified IE shell), and certain functionality in explorer.
What's even cooler is that one of the browsers he mentions (Koqueror) is just as much "embedded into the OS" (i.e. uses shared libraries that if removed affect other userland programs) and IE.
Ten bucks says he still gets modded up for it.
If your vendor is Cisco (Unity, etc) then I would estimate....six moinths.
It was not my intention to link to sites that feature misinformation. I just did a quick Google and linked to a couple of sites that seemed to coroborate with things read/heard/seen about the nuclear winter scenario. I had never seen those sites before, and to be honest the second one did look like it was run by some kooky Mormons. As for the first one, I never looked at any other part of than the text file. I see now that it's a conservative BBS, or something like that. Oops.
I never said, nor do I belive that a huge nuclear exchange would not have a global affect on weather - only that the original nuclear winter scenarios touted by Carl Sagan were hugely overblown, and the affects would not be quite so prolonged.
After Googling more, I see that (of course!) politics have gotten into this debate. That makes it a little harder to research it because you have to wade through tons of bullshit.
Oh well.
I believe the nuclear winter scnenario as you describe it has long been disproven.
Here are some links...
http://www.fortfreedom.org/s05.htm
http://www.oism.org/nwss/s73p912.htm
And IP over HAM...if it comes down to it.
I used it in production for almost three years as a spam box. It ran at ~90% CPU utillization all that time an never had a problem....except for the time I accidentally did `postsuper -r ALL|postfix reload` instead of `postsuper -r ALL;postfix reload`. That gave me a kernel panic.
As opposed to the mom and pop stores that stock the exact same cheap crap for higher prices. Feel free to shop at those and "stick it to the man" all you want. I'll stick to Walmart/K-Mart/Target, thank you.
It seems you have a few misconceptions about me.
I hate IE. I don't use it for many reasons - security being one of them. I've been a firefox user since 0.7 beta. I'm just not ignorant about how operating systems and their various security subsystems work.
You sir, are.
Good day.
And once again, your stated assertion is wrong. An exploit in IE carries no more danger to the user than an exploit in FireFox. There have been plenty of exploitable remote code execution flaws in FireFox that if exploited could easily lead to the installation of key loggers, and other nasties. There have also been tons of flaws in other components such and flash and java that are completely browser independent. It all comes down to the rights of the user browsing the web. Exploit code that hits IE cannot install key loggers if the user does not have the right to install a key logger. The same goes with other browsers and programs. This seems to be an area that you don't comprehend. IE and the libraries it uses are userland programs that carry the rights of the user using them, and nothing more.
Way to change the subject. I never said anything about removing IE from the OS - because it is not necessary. You start by claiming that IE grants malware root access to the system while in the same situation other browsers don't (false), and then change the subject to the fact that the core libraries that IE make use of can't be removed from the system without breaking the help and support center. Do you make it a habit of browsing the web from the help and support center or something?
As far as resources, there are no "cpu cycles being wasted" by IE's core libraries being on your system, as they are only loaded into memory when they are needed. If you use an alternate browser like FireFox, then they will almost never be loaded - unless you like to browse the web from the help and support center or the mmc console.
..the above post up.
PLEASE STOP MODERATING.
There is absolutely nothing "interesting" or "insightful" about the post above. In fact, I would say by modding this post so high, the collective intelligence of everyone who has read it (and doesn't know any better) has been decreased considerably.
The author has bought into, and is dutifully spreading one of the biggest myths about Internet Explorer - that it somehow carries more rights and privileges to the OS than the user who is using it. The author also claims that firefox offers some sort of (magic?!) protection that keeps exploit code from accessing the OS. Both of these assertions are false.
If you would like to make Slashdot a better place, please click on "preferences" on the bar next to your username at the top. Then click on "homepage" and un-check the box that says "Willing to moderate".
Thank you, and have a nice day.
And you are 100% wrong in your assertion.
[blockquote]MSIE was rewritten in the mid 1990s so that core modules became an integral part of the Windows OS. It is generally recognized that maintaining a wall between OS and app is good engineering, partly because it avoids many difficult security issues.[/blockquote]
Define "OS". Internet Explorer uses a set of core libraries that are also used by other components that come with Widnows, such as explorer, MMC, help, etc. This was done to make life easier for programmers, and it does what it was intended to do. Shared libraries are a common occurance in all operating enviroments. KDE and gnome both make heavy use of shared libraries and flaws in these libraries cna lead to explotation of any program that uses them. OSX (webcore/webkit I think?) also do the same exact thing.
[i]"Firefox preserves the wall between itself and the OS, and is not a superhighway into the core of the OS, the way today's MSIE is."[/i]
This is one of the biggest myths about IE. IE does not have any more access to the OS that the person running it does. The same goes for firefox or any other browser.