That is correct. And the legal term used most commonly (maybe entirely?) is treble and not triple. I was involved in a lawsuit my former employer filed against a mall management company that stole our property and illegally sold it, where the damages they were facing were listed in every court document and document filed with the court as "treble" (which is how it is referenced in NYS law as pertaining to damages caused through committing a crime).
Or you can learn to use Google. They are there. Or search Slashdot. It's there too. Or simply search through Microsoft's HotFix lists and such for.NET. They have an entire page devoted to it.
So, at this point, with the evidence SO easily findable, I think you just have no interest in reality. Good luck with that.
All you've linked to was DEP being bypassed. That's fair enough. But DEP is not UAC.
Just use Google... "UAC being bypassed exploit"
Due to the elevated COM object which controls UAC being on the whitelist (list... just the Windows ones and the ones that bypass the prompts via exploits....
Hmmm... smell like the recent.NET exploit that I already mentioned 3 times in these threads?
Yes, the majority of the issues are probably user error.
That's not my issue at hand... people who claim that UAC and DEP are inpenetratable are my issue. They are not. They have been exploited numerous times in the past. Microsoft keeps releasing shoddy patches that do not address the underlying faults in the architecture of them. Thus this problem will never really be fixed... hence, lets see... 2 service packs and what is it now... 60? 70? other hotfixes and updates to Vista? And it still isnt fixed?
Either way, none of this defeats the fact that IE8 on Windows 7 with UAC kicked up is your best protection against any of these attacks, short of using something like Chrome which provides extra sandboxing.
BINGO! To me, that reads (combine this sentence with the paragraph above about them not really fixing the underlying problem): "Windows 7 with UAC is your best option other than any other option on Windows 7, because Microsoft will not ever fix the underlying problems in UAC, DEP and.NET/Active X"
Really, it's not rocket science. They simply will not fix the stuff properly because of their dependence on Active C and.NET (a dependence that grows every time they release some new "technology" like Silverlight), thus, exploits will always exist, and Microsoft will get around to patching specific vectors once enough bad press has hit the Internet, still leaving the underlying mechanism broken due to the ancient, fragile, hole ridden Active X and.NET underlying architecture used via their browser - and now, add to that list, their pathetic, exploitable, slow Javascript engine.
Do you have any proof showing that UAC and Protected Mode does not guard against this exploit or others? So far from the security researchers, I've only read very specific conditions under the latest systems that it's a problem.
Oh, so you have already read about conditions where this happens? Guess I dont have to answer this one then, do I?
Besides, I already gave you an example earlier. But just for shits and giggles, here's one that references the chances at 1% on IE8/Vista or IE8/Win7:
And one that was made available to govts and large security software vendors: DEP being bypassed
And one (just to add it to the list) to bypass XP and hardware DEP: ANI Cursor Exploit
Should I go on? There are TONS of pages I can go through... and I havent even started on the hotfixes and other patches Microsoft has released to fix earlier issues with DEP and UAC.
Knowing what I've read about the various security contests, the only thing that needs to be done is execute code as the user.
But what limited scope is this? Does the vulnerability get contained within the Low profile of IE? If it drops files in there, who gives a damn? Even if it can execute code at the medium privilege level, it still doesn't have access to core system files and settings.
Hmmm... I dunno... what did the.NET stuff do for both Firefox and IE? Is.NET really truly fixed this time? This is the 6th major attempt to do so, and probably the few dozenth attempt overall.
The severity of the vulnerability to me under Windows is what I care more about, simply saying the application is "vulnerable" isn't enough.
True... but then again, I make most of my "repair" money at the company I work for from fixing virus ridden machines running on default settings (DEP and UAC enabled) from customers who have (or claim to have) done nothing and clicked on nothing - other than visiting malicious sites before the most recent.NET patch.
Not that I'm downplaying the exploit nor any fixes for it, I'm just trying to shed light on the various methods used to prevent such things from gaining much traction on a user's computer.
If the exploit can get by IE Protected Mode and execute under medium integrity I'd be a bit worried, but the attack surface is very limited until it generates a UAC prompt.
When exactly does it do that? And you realize there are mechanisms built into Windows Vista and Windows Seven to bypass UAC, correct? I'm cleaning a machine right now with Vista on it (and UAC & DEP enabled), where winlogon was infected (along with just under 100 other files).
If the user clicks OK to the UAC prompt and lets the thing get elevated privileges, well, at that point I no longer blame the application--I blame the user.
As I recall, the Chinese government has access to the Windows source code. Google's been claiming that the Chinese government launched the attacks, and security experts have backed them up. The obvious conclusion is that having the source gave the Chinese government the opportunity to develop a new attack against Windows.
While some might see this as an argument against Open Source security products, I see exactly the opposite. The closed source made it possible for the only party with the source to gain an advantage. In products where the source is available to everyone, there is no advantage to any party. Therefore the holes are found and sealed, instead of left to fester, like this one was.
While that may have made it easier for them, it does not explain the numerous hackers and script kiddies who have managed to compromise IE7/8 and Vista/Win7 security, even on default configurations; as they did not have access to the source code.
The rest, though I agree with ("holes are found and sealed, etc") is also contingent on other factors when Microsoft is involved.
(1) Holes are only "sealed" when enough media attention is drawn to them - otherwise it's when Microsoft gets around to it, if ever.
(2) The holes are generally poorly patched, and not truly sealed (see the half dozen MAJOR (and tons of minor).NET fixes to deal with the RCE exploits, where after each one, a very similar exploit was found because the hole was never properly patched, or there were dozens of others that were skipped).
No, I am not trying to bash Microsoft... there are enough others here to do that. I am simply pointing out history as it happened. Every statement above has historical backing to it (#2 I even provided one of many examples).
However, from what I'm gathering, the default Windows 7 install with IE8 should be safe from any attacks. As soon as you start disabling technologies (UAC, DEP)--you will run into problems.
Incorrect. As it is, UAC does not seem to stop various "visit a site".NET/Active X exploits that Microsoft claims they have finally (6th time) fixed. Nor does DEP prevent them. Nor does the combination of the two...
..."oddly" enough, UAC does often prevent some updates unless a user confirms them... unless they are automatic, and use the same exploit method used by some of the malware out there.
Thus, IE7 and IE8 on Vista or Win7, even on the default configurations, is still vulnerable. Something even Microsoft finally admitted to in their most recent revision to their earlier document.
No it's not. It never has been for any decent exploit.
"The revised advisory also addressed claims made by researchers that it's possible to exploit the newer IE7 and IE8 browsers, and even circumvent Microsoft's recommended defensive measure, DEP (data execution prevention)."
C'mon, history/track record alone proves this. Or simply researching this particular exploit would once again prove Microsoft to be talking out of their ass.
Finally, after their latest nonsense was proven wrong and got sufficient coverage online, they've admitted it, confirming my beliefs (and those of the people who actually studied the exploits), and disproving yours...
"The revised advisory also addressed claims made by researchers that it's possible to exploit the newer IE7 and IE8 browsers, and even circumvent Microsoft's recommended defensive measure, DEP (data execution prevention)."
How many of you will continue to believe Microsoft nonsense when it's already been proven to be wrong? Finally, after their latest nonsense was proven wrong, they've admitted it, confirming my beliefs, and disproving yours...
Whatever problems the Dems have, this is a problem that existed during Republican Rule as well. To pretend it's just the "Obama Administration" is ludicrous.
d) if the attack/infection vector leverages one of the numerous.NET or Active X exploits, holes, or IE buffer issues that bypass the DEP mechanism and sandbox.
(d) being the reason why the rest of your claims dont matter.
C'mon folks... you all arent new to/. or the tech world. There have been tons of articles on such exploits... tons of patches that "really fix this, we promise" (Microsoft) yet really haven't fixed it... including in the.NET world alone, over a half dozen (unsuccessful) MAJOR attempts to fix these issues that render DEP/sandboxing useless...
Explain to me then, how various of the recent.NET and (other) Active X exploits bypassed DEP? Then tell me if you truly believe anything has changed since then to magically make DEP be the "be all, end all" protection for RCE exploits.
Truly, the plans for DEP and sandboxing were great on paper. But they do not work as intended and have already been bypassed, thanks to neato little workarounds or holes that Microsoft seems to have left unfixed. I've gotten machines in for repair that wont even let Windows Update run without a half dozen confirmations (still on their default settings) but are infected as hell because of.NET exploits that seem to entirely bypass those DEP/sandboxing protections.
But your understanding is incorrect, as even sandboxed, IE7 and IE8 have been susceptible (on Vista and Windows 7) to a number of exploits even just recently, including the.NET exploits recently covered in the Mozilla.NET plugin threads here and elsewhere.
Sorry, nothing personal, but reality trumps understanding every time.
On the experience end of things, I have run into numerous infected machines, which still have the default "protected"/sandboxed settings for IE and Vista/Win 7 and are still equally infected because of these exploits.
Further on the reality side of things, Microsoft is continuously releasing updates to IE7, IE8, Vista and Win7 to try to rectify the holes that allow such malicious stuff to bypass their broken "sandboxing"
So, you are correct if one only follows the theory and planned designs behind Microsoft's new protection scheme... but the reality is, that scheme is still broken and still vulnerable.
Wrong... the problem is in ALL versions of IE from at least 6 upwards on ALL operating systems from at least XP upwards. Microsoft themselves admitted that.
Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are vulnerable.
But, although IE6 has been the source of the attacks until now, Microsoft's advisory admits that both IE7 and IE8 are vulnerable to the same flaw, even on Windows 7.
Someone needs to do a lot better research when writing these articles or posting them to Slashdot or both.
THIS is blatantly wrong:
Microsoft still insists IE8 is the 'most secure browser on the market' and that they believe IE6 is the only browser susceptible to the flaw. However, security researchers warned that could soon change, and recommended considering alternative browsers as well."
Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are vulnerable.
I posted something similar about this days ago on yet another similar topic, but was laughed at by the MS/IE zealots who claim Microsoft said only IE6 is vulnerable... so, since they cant read obviously, there it is again... with the relevant section BOLDED this time.
C'mon folks, these RCEs are not new stuff, and seem to exist in EVERY version of IE since the beginning of time till now with "patches" that never fully address the issue (hence, as MICROSOFT themselves noted, this issue is... well... still an issue... even for IE7 and IE8).
Their lame (see story link above) answer that people should upgrade to IE8 as if that was the solution to this problem is idiotic. Yeah, people should upgrade to IE8 (if their machines can actually run it - some of my clients have older, slower machines and no budget to replace them)... but Microsoft should also be working on actually fixing all the RCE exploits and buffer issues in the IE line.
Regardless, my point is, with so much coverage over this (on Slashdot alone), you'd think the "Story Approvers" or author would have gotten that glaringly misleading (and incorrect) point correct. Oh well.
Good points, and a great perspective on it. I hadnt thought about how that was probably an even bigger hurt on their future marketshare (which I should have since virtually anyone can get the Android code and SDKs).
Why yes I do... you mean the one that Microsoft weaseled out of portions of, like a feature complete and compatible version of Office and the likes? The one when Apple was NOT on the verge of bankruptcy? The one where Microsoft's contribution was minimal in the grand scheme of things? (kinda like giving a millionaire a few thousand dollars).
Except, the article seems to be pure speculation by BusinessWeek, as opposed to anything from Apple hinting at it. These "analysts" can think or say what they want... they've been wrong in the past, especially about Apple. Time will tell... but I still think Apple would not even consider such a partnership.
Well, the Enterprise is virtually on the Mall in DC - at least the last time I was there... right inside the Smithsonian. I think you can even see it from the Mall through the windows at the Smithsonian.
So, it probably wouldn't take that much to move it outside to convert to housing.
I dunno... I disagree. Apple's partnerships with Microsoft have always ended badly.
On top of that, it's not like Google is really advertising the Nexus One (hence the "poor" sales), so I dont see how it would drive anyone to do anything. The article would have been more correct if it discounted the Nexus One and simply grouped all Android phones as the driving force.
That aside, Google's "search everywhere on the phone - or the web" search seems better than anything Microsoft has to offer. And Apple's current search seems better as well (in that respect). So, switching search providers to Bing doesnt seem to gain much benefit to Apple.
Conversely, setting Bing as the default search provider could push away some quantity of pro-Apple/Anti-Microsoft fans. Now, while I dont have an iPhone (I happily use my "antiquated" G1), I for one would not ever switch my search provider to Microsoft... their current "privacy" policy's interpretations aside, they have done nothing to really ensure me they are not still selling my search data and whatever personal info they can glean from it. As a matter of fact, their current policy states they still do (it's the whole Microsoft partner thing that is always snuck in)... while at least Google, even though privy to more information, doesnt seem to actually sell the raw data, but instead sells services where you can advertise through them to people who meet certain data requirements. That leaves my "options" as use Bing and allow Microsoft and their "partners" to access my data, or use Google and allow Google and... oh, that's it... access to my data. As Microsoft has made many a claim in this (privacy) and other areas in the past (while even sneaking in little sections stating they can sell your data, images or whatever that you put on their services), yet claim they protect their users' privacy, I still seem them as the worst option.
And no, I am not trying to start an anti-Microsoft rant. I am trying to say that, as a technologically savvy computer user (ie: tech, programmer, web designer) who actually reads the EULAs and knows what little hidden gems are in them, that I would expect many Apple users (who much of which already seem to have something against Microsoft - some for valid reasons, such as dropping Office support, reinstating Office support (well, a subset of it), then dropping Office support... trying to prevent certain of their OS's from running under virtualization software on MacOSX, etc) will also not be happy with such a partnership and may turn away from Apple - especially with Android based phones gaining some ground.
So, for Apple's sake, I'd think them making their own search engines/tools or sticking with Google, may be their best bet. Gotta remember, it doesnt matter if Apple/iPhone users are zealots or misguided - or right on the money... what matters is how that will affect Apple's marketshare and mindshare in the iPhone/smartphone marketplace (hence my point about not trying to start a flame war or my post being intended as a rant). It's all about public perception - or in this case, customer perception... reality does not matter in those situations (whether the reality I paint above is true or not... since it is widely held perception, which for marketshare, beats reality every time). But that's just my opinion.
Oh well, no big deal to me. By the time I found something on NYT that I was interested in reading, it was already in their paid section and no longer free to view.
I wonder if the printer versions and such will also be "paid only" or if that little loophole will remain unfixed.
Refer to my:
"and travels into the boonies of upstate (New York) or through NYC in West New York (ie: New Jersey) a bunch, I am happy with TMo. When I am in the boonies upstate, it roams (including 3G where available) but I dont get charged for it."
Port Henry and Ticonderoga are not influential congress critter's districts. The exact opposite.
The thing that most people dont mention (or even know) is that roaming (due to agreements with numerous carriers, including AT&T) does not cost extra for TMo customers. It works and acts just like regularly connecting via T-Mobile.
So, technically, T-Mobile's coverage is better than AT&T's, as a T-Mobile customer has access to T-Mobile's network... or AT&T's network (and various others, including some Verizon owned ones) where T-Mobile doesnt have coverage.
Maybe you simply had roaming turned off on your phone? I did that until I realized that roaming was simply counted towards one's minutes in the same way that regular TMo network usage was.
Or maybe you simply didnt have a quad band phone on TMo (some of the really older ones werent quad band... all of mine have been) and thus could not roam on certain other networks where different bands were used?
Perhaps that is why I have equal or better coverage than others on other carriers?
Slashdot Mirror
That is correct. And the legal term used most commonly (maybe entirely?) is treble and not triple. I was involved in a lawsuit my former employer filed against a mall management company that stole our property and illegally sold it, where the damages they were facing were listed in every court document and document filed with the court as "treble" (which is how it is referenced in NYS law as pertaining to damages caused through committing a crime).
Or you can learn to use Google. They are there. Or search Slashdot. It's there too. Or simply search through Microsoft's HotFix lists and such for .NET. They have an entire page devoted to it.
So, at this point, with the evidence SO easily findable, I think you just have no interest in reality. Good luck with that.
All you've linked to was DEP being bypassed. That's fair enough. But DEP is not UAC.
Just use Google... "UAC being bypassed exploit"
Due to the elevated COM object which controls UAC being on the whitelist (list ... just the Windows ones and the ones that bypass the prompts via exploits. ...
Hmmm... smell like the recent .NET exploit that I already mentioned 3 times in these threads?
Yes, the majority of the issues are probably user error.
That's not my issue at hand... people who claim that UAC and DEP are inpenetratable are my issue. They are not. They have been exploited numerous times in the past. Microsoft keeps releasing shoddy patches that do not address the underlying faults in the architecture of them. Thus this problem will never really be fixed... hence, lets see... 2 service packs and what is it now... 60? 70? other hotfixes and updates to Vista? And it still isnt fixed?
Either way, none of this defeats the fact that IE8 on Windows 7 with UAC kicked up is your best protection against any of these attacks, short of using something like Chrome which provides extra sandboxing.
BINGO! To me, that reads (combine this sentence with the paragraph above about them not really fixing the underlying problem): "Windows 7 with UAC is your best option other than any other option on Windows 7, because Microsoft will not ever fix the underlying problems in UAC, DEP and .NET/Active X"
Really, it's not rocket science. They simply will not fix the stuff properly because of their dependence on Active C and .NET (a dependence that grows every time they release some new "technology" like Silverlight), thus, exploits will always exist, and Microsoft will get around to patching specific vectors once enough bad press has hit the Internet, still leaving the underlying mechanism broken due to the ancient, fragile, hole ridden Active X and .NET underlying architecture used via their browser - and now, add to that list, their pathetic, exploitable, slow Javascript engine.
Do you have any proof showing that UAC and Protected Mode does not guard against this exploit or others? So far from the security researchers, I've only read very specific conditions under the latest systems that it's a problem.
Oh, so you have already read about conditions where this happens? Guess I dont have to answer this one then, do I?
Besides, I already gave you an example earlier. But just for shits and giggles, here's one that references the chances at 1% on IE8/Vista or IE8/Win7:
DEP Bypassed
Now, while 1% seems a trivial number, it is actually quite large when installed base is taken into account... or only a few million machines.
Then add to that, such an exploit can be attempted multiple times on a machine, which raises the likeliness of the exploit working.
And here's one more recent that states it is even more likely and has been proven to be possible:
Aurora Exploit
Hmmm... does that one sound familiar? Maybe the one this patch is supposed to address?
Or this one: Crappy Ass Microsoft Javascript implementation vector for bypassing DEP
And one that was made available to govts and large security software vendors: DEP being bypassed
And one (just to add it to the list) to bypass XP and hardware DEP: ANI Cursor Exploit
Should I go on? There are TONS of pages I can go through... and I havent even started on the hotfixes and other patches Microsoft has released to fix earlier issues with DEP and UAC.
Knowing what I've read about the various security contests, the only thing that needs to be done is execute code as the user.
But what limited scope is this? Does the vulnerability get contained within the Low profile of IE? If it drops files in there, who gives a damn? Even if it can execute code at the medium privilege level, it still doesn't have access to core system files and settings.
Hmmm... I dunno... what did the .NET stuff do for both Firefox and IE? Is .NET really truly fixed this time? This is the 6th major attempt to do so, and probably the few dozenth attempt overall.
The severity of the vulnerability to me under Windows is what I care more about, simply saying the application is "vulnerable" isn't enough.
True... but then again, I make most of my "repair" money at the company I work for from fixing virus ridden machines running on default settings (DEP and UAC enabled) from customers who have (or claim to have) done nothing and clicked on nothing - other than visiting malicious sites before the most recent .NET patch.
Not that I'm downplaying the exploit nor any fixes for it, I'm just trying to shed light on the various methods used to prevent such things from gaining much traction on a user's computer.
If the exploit can get by IE Protected Mode and execute under medium integrity I'd be a bit worried, but the attack surface is very limited until it generates a UAC prompt.
When exactly does it do that? And you realize there are mechanisms built into Windows Vista and Windows Seven to bypass UAC, correct? I'm cleaning a machine right now with Vista on it (and UAC & DEP enabled), where winlogon was infected (along with just under 100 other files).
If the user clicks OK to the UAC prompt and lets the thing get elevated privileges, well, at that point I no longer blame the application--I blame the user.
I agree... but that is not needed in vari
LoL! I then retract my earlier answer and claim wittiness on my part. :-)
Yes, not the best subject... I admit... sorry.
Google offers videoconferencing, and I believe it is free (sans the cost of the cheap USB camera you will have to buy).
Check out this article, then check out the links for it on Google's site...
Google to offer Video Conferencing
As I recall, the Chinese government has access to the Windows source code. Google's been claiming that the Chinese government launched the attacks, and security experts have backed them up. The obvious conclusion is that having the source gave the Chinese government the opportunity to develop a new attack against Windows.
While some might see this as an argument against Open Source security products, I see exactly the opposite. The closed source made it possible for the only party with the source to gain an advantage. In products where the source is available to everyone, there is no advantage to any party. Therefore the holes are found and sealed, instead of left to fester, like this one was.
While that may have made it easier for them, it does not explain the numerous hackers and script kiddies who have managed to compromise IE7/8 and Vista/Win7 security, even on default configurations; as they did not have access to the source code.
The rest, though I agree with ("holes are found and sealed, etc") is also contingent on other factors when Microsoft is involved. .NET fixes to deal with the RCE exploits, where after each one, a very similar exploit was found because the hole was never properly patched, or there were dozens of others that were skipped).
(1) Holes are only "sealed" when enough media attention is drawn to them - otherwise it's when Microsoft gets around to it, if ever.
(2) The holes are generally poorly patched, and not truly sealed (see the half dozen MAJOR (and tons of minor)
No, I am not trying to bash Microsoft... there are enough others here to do that. I am simply pointing out history as it happened. Every statement above has historical backing to it (#2 I even provided one of many examples).
However, from what I'm gathering, the default Windows 7 install with IE8 should be safe from any attacks. As soon as you start disabling technologies (UAC, DEP)--you will run into problems.
Incorrect. As it is, UAC does not seem to stop various "visit a site" .NET/Active X exploits that Microsoft claims they have finally (6th time) fixed. Nor does DEP prevent them. Nor does the combination of the two...
..."oddly" enough, UAC does often prevent some updates unless a user confirms them... unless they are automatic, and use the same exploit method used by some of the malware out there.
Thus, IE7 and IE8 on Vista or Win7, even on the default configurations, is still vulnerable. Something even Microsoft finally admitted to in their most recent revision to their earlier document.
No it's not. It never has been for any decent exploit.
"The revised advisory also addressed claims made by researchers that it's possible to exploit the newer IE7 and IE8 browsers, and even circumvent Microsoft's recommended defensive measure, DEP (data execution prevention)."
C'mon, history/track record alone proves this. Or simply researching this particular exploit would once again prove Microsoft to be talking out of their ass.
Finally, after their latest nonsense was proven wrong and got sufficient coverage online, they've admitted it, confirming my beliefs (and those of the people who actually studied the exploits), and disproving yours...
And here ya go!
"The revised advisory also addressed claims made by researchers that it's possible to exploit the newer IE7 and IE8 browsers, and even circumvent Microsoft's recommended defensive measure, DEP (data execution prevention)."
How many of you will continue to believe Microsoft nonsense when it's already been proven to be wrong? Finally, after their latest nonsense was proven wrong, they've admitted it, confirming my beliefs, and disproving yours...
Whatever problems the Dems have, this is a problem that existed during Republican Rule as well. To pretend it's just the "Obama Administration" is ludicrous.
or
d) if the attack/infection vector leverages one of the numerous .NET or Active X exploits, holes, or IE buffer issues that bypass the DEP mechanism and sandbox.
(d) being the reason why the rest of your claims dont matter.
C'mon folks... you all arent new to /. or the tech world. There have been tons of articles on such exploits... tons of patches that "really fix this, we promise" (Microsoft) yet really haven't fixed it... including in the .NET world alone, over a half dozen (unsuccessful) MAJOR attempts to fix these issues that render DEP/sandboxing useless...
Explain to me then, how various of the recent .NET and (other) Active X exploits bypassed DEP? Then tell me if you truly believe anything has changed since then to magically make DEP be the "be all, end all" protection for RCE exploits.
Truly, the plans for DEP and sandboxing were great on paper. But they do not work as intended and have already been bypassed, thanks to neato little workarounds or holes that Microsoft seems to have left unfixed. I've gotten machines in for repair that wont even let Windows Update run without a half dozen confirmations (still on their default settings) but are infected as hell because of .NET exploits that seem to entirely bypass those DEP/sandboxing protections.
But your understanding is incorrect, as even sandboxed, IE7 and IE8 have been susceptible (on Vista and Windows 7) to a number of exploits even just recently, including the .NET exploits recently covered in the Mozilla .NET plugin threads here and elsewhere.
Sorry, nothing personal, but reality trumps understanding every time.
On the experience end of things, I have run into numerous infected machines, which still have the default "protected"/sandboxed settings for IE and Vista/Win 7 and are still equally infected because of these exploits.
Further on the reality side of things, Microsoft is continuously releasing updates to IE7, IE8, Vista and Win7 to try to rectify the holes that allow such malicious stuff to bypass their broken "sandboxing"
So, you are correct if one only follows the theory and planned designs behind Microsoft's new protection scheme... but the reality is, that scheme is still broken and still vulnerable.
Wrong... the problem is in ALL versions of IE from at least 6 upwards on ALL operating systems from at least XP upwards. Microsoft themselves admitted that.
Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are vulnerable.
Microsoft Advisory
Why are people still perpetuating the myth that this does not affect IE7 or IE8 when Microsoft themselves claim it does?!?!?! Just curious.
But, although IE6 has been the source of the attacks until now, Microsoft's advisory admits that both IE7 and IE8 are vulnerable to the same flaw, even on Windows 7.
Someone needs to do a lot better research when writing these articles or posting them to Slashdot or both.
THIS is blatantly wrong:
Microsoft still insists IE8 is the 'most secure browser on the market' and that they believe IE6 is the only browser susceptible to the flaw. However, security researchers warned that could soon change, and recommended considering alternative browsers as well."
Heck, simply reading Slashdot would have turned up this:
Slashdot Article on this
Or this from Microsoft themselves which states even Microsoft believe no such thing.
Microsoft Admits IE7 and IE8 are vulnerable to this too
Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are vulnerable.
I posted something similar about this days ago on yet another similar topic, but was laughed at by the MS/IE zealots who claim Microsoft said only IE6 is vulnerable... so, since they cant read obviously, there it is again... with the relevant section BOLDED this time.
C'mon folks, these RCEs are not new stuff, and seem to exist in EVERY version of IE since the beginning of time till now with "patches" that never fully address the issue (hence, as MICROSOFT themselves noted, this issue is... well... still an issue... even for IE7 and IE8).
Their lame (see story link above) answer that people should upgrade to IE8 as if that was the solution to this problem is idiotic. Yeah, people should upgrade to IE8 (if their machines can actually run it - some of my clients have older, slower machines and no budget to replace them)... but Microsoft should also be working on actually fixing all the RCE exploits and buffer issues in the IE line.
Regardless, my point is, with so much coverage over this (on Slashdot alone), you'd think the "Story Approvers" or author would have gotten that glaringly misleading (and incorrect) point correct. Oh well.
Good points, and a great perspective on it. I hadnt thought about how that was probably an even bigger hurt on their future marketshare (which I should have since virtually anyone can get the Android code and SDKs).
Why yes I do... you mean the one that Microsoft weaseled out of portions of, like a feature complete and compatible version of Office and the likes? The one when Apple was NOT on the verge of bankruptcy? The one where Microsoft's contribution was minimal in the grand scheme of things? (kinda like giving a millionaire a few thousand dollars).
So, the question is, do you remember it?
Apple must be desperate if this is considered...
Except, the article seems to be pure speculation by BusinessWeek, as opposed to anything from Apple hinting at it. These "analysts" can think or say what they want... they've been wrong in the past, especially about Apple. Time will tell... but I still think Apple would not even consider such a partnership.
Ooops... it was moved to Dulles.
Well, the Enterprise is virtually on the Mall in DC - at least the last time I was there... right inside the Smithsonian. I think you can even see it from the Mall through the windows at the Smithsonian.
So, it probably wouldn't take that much to move it outside to convert to housing.
;-)
I dunno... I disagree. Apple's partnerships with Microsoft have always ended badly.
On top of that, it's not like Google is really advertising the Nexus One (hence the "poor" sales), so I dont see how it would drive anyone to do anything. The article would have been more correct if it discounted the Nexus One and simply grouped all Android phones as the driving force.
That aside, Google's "search everywhere on the phone - or the web" search seems better than anything Microsoft has to offer. And Apple's current search seems better as well (in that respect). So, switching search providers to Bing doesnt seem to gain much benefit to Apple.
Conversely, setting Bing as the default search provider could push away some quantity of pro-Apple/Anti-Microsoft fans. Now, while I dont have an iPhone (I happily use my "antiquated" G1), I for one would not ever switch my search provider to Microsoft... their current "privacy" policy's interpretations aside, they have done nothing to really ensure me they are not still selling my search data and whatever personal info they can glean from it. As a matter of fact, their current policy states they still do (it's the whole Microsoft partner thing that is always snuck in)... while at least Google, even though privy to more information, doesnt seem to actually sell the raw data, but instead sells services where you can advertise through them to people who meet certain data requirements. That leaves my "options" as use Bing and allow Microsoft and their "partners" to access my data, or use Google and allow Google and... oh, that's it... access to my data. As Microsoft has made many a claim in this (privacy) and other areas in the past (while even sneaking in little sections stating they can sell your data, images or whatever that you put on their services), yet claim they protect their users' privacy, I still seem them as the worst option.
And no, I am not trying to start an anti-Microsoft rant. I am trying to say that, as a technologically savvy computer user (ie: tech, programmer, web designer) who actually reads the EULAs and knows what little hidden gems are in them, that I would expect many Apple users (who much of which already seem to have something against Microsoft - some for valid reasons, such as dropping Office support, reinstating Office support (well, a subset of it), then dropping Office support... trying to prevent certain of their OS's from running under virtualization software on MacOSX, etc) will also not be happy with such a partnership and may turn away from Apple - especially with Android based phones gaining some ground.
So, for Apple's sake, I'd think them making their own search engines/tools or sticking with Google, may be their best bet. Gotta remember, it doesnt matter if Apple/iPhone users are zealots or misguided - or right on the money... what matters is how that will affect Apple's marketshare and mindshare in the iPhone/smartphone marketplace (hence my point about not trying to start a flame war or my post being intended as a rant). It's all about public perception - or in this case, customer perception... reality does not matter in those situations (whether the reality I paint above is true or not... since it is widely held perception, which for marketshare, beats reality every time). But that's just my opinion.
Oh well, no big deal to me. By the time I found something on NYT that I was interested in reading, it was already in their paid section and no longer free to view.
I wonder if the printer versions and such will also be "paid only" or if that little loophole will remain unfixed.
Refer to my:
"and travels into the boonies of upstate (New York) or through NYC in West New York (ie: New Jersey) a bunch, I am happy with TMo. When I am in the boonies upstate, it roams (including 3G where available) but I dont get charged for it."
Port Henry and Ticonderoga are not influential congress critter's districts. The exact opposite.
The thing that most people dont mention (or even know) is that roaming (due to agreements with numerous carriers, including AT&T) does not cost extra for TMo customers. It works and acts just like regularly connecting via T-Mobile.
So, technically, T-Mobile's coverage is better than AT&T's, as a T-Mobile customer has access to T-Mobile's network... or AT&T's network (and various others, including some Verizon owned ones) where T-Mobile doesnt have coverage.
Maybe you simply had roaming turned off on your phone? I did that until I realized that roaming was simply counted towards one's minutes in the same way that regular TMo network usage was.
Or maybe you simply didnt have a quad band phone on TMo (some of the really older ones werent quad band... all of mine have been) and thus could not roam on certain other networks where different bands were used?
Perhaps that is why I have equal or better coverage than others on other carriers?