Serious Security Flaw in MSIE 5.01, 5.5

Visit an attacker's webpage using Microsoft's browser on Microsoft's operating system, and the attacker can execute arbitrary code on your system with your full privileges. Oh, and thanks to Microsoft innovation - you may remember this from the trial - the browser is integrated with the OS, so reading email from an attacker (opening attachments not necessary) also gives them full access to your machine. MSIE 5.5 is vulnerable, and MSIE 5.01 is vulnerable unless you've installed Internet Explorer 5.01 Service Pack 2. Read the security bulletin and download the patches. Discovery props to Kriptopolis.

Recipe of disaster

Just think of the following scheme: (If I understood correctly, it should be possible to create the following worm)

1) Send this worm to everyone in the address book using the randomly taken subject from the your previous emails.
2) Install timebomb into computer, which deletes all the files after few days
3) Send all your previously written emails to random recipients taken from the address book.

Worm would spread like a wildfire as the message does not look suspicious (it comes from a known sender and the subject is reasonamle as it has been used before by the sender). As no questions are asked from the user - all the outlook users reading the message would be affected.

Worm would be totally destructive, as all the files would be deleted.

Probably most damage would be done by sending the previous communication to random recipient. Just look into your sent messages folder and imagine what would happen if you would send the messages to random recipients taken from your address book.

Do you still have the gust to use Windows/IE/Outlook ?

So um...

When is there gonna be a software Lemon Law? A car can explode and kill or injure its occupants, but when a piece of software running mission-critical software breaks (or is broken), it can cost money, time, or, in the most severe case, lives. When will software companies be held responsible for the most egregious of errors, and would something like this be considered just that?

- A.P.

--
* CmdrTaco is an idiot.

IE's OS integration

I find it odd that people are bashing MS because so many programs are using IE to render HTML.

Think about it. There is a standard way for any program to render HTML in a window. Instead of everyone reinventing the wheel, all a programmer has to do is create a COM object and display it in a window.

Of course, the average Slashdotter is using this as evidence that Microsoft is the tool of Satan and their buildings shall be razed and their children and their children's children unto the fifth generation shall be cursed and despised, etc.

Modularity is good. Standard ways of doing things is good. Code reuse is good.

Now, the fact that there is absolutely no way to replace IE with your web browser of choice is evil (despite the fact that email clients, HTML editors, conferencing software and whatever else can be easily replaced) and the fact that Microsoft is terminally unable to write a program that doesn't serve as a speedy means of either crashing the OS or inviting in unwanted network guests is also evil. So they are the tool of Satan and their buildings shall be razed and their children and their children's children unto the fifth generation shall be cursed and despised, etc.

On a side note, GNOME is doing the same thing. Any program can use gtkhtml to render HTML in a window. Evolution is using it to display email messages (sound familiar?), Red Carpet uses it for UI, and GNOME Help uses it to render content. IIRC, the plan is to eventually replace gtkhtml with Mozilla (which does a much better job of complying to standards and rendering documents than gtkhtml.

Hmm..

Microsoft already has a fix out. I think this bug was reported today. I'm impressed.

So many people here always scream that Open Source is better because you don't have to "wait for the service pack" in order to get fixes. Granted, the bug probably would've been found sooner if the source were open, but the fact that there is a fix out already is admirable.

I think this is going to be another long thread of unwarranted Microsoft bashing. You can bitch about the bugs in IE and it's security hazards, but if they get fixed this fast then it really detracts from your argument that Microsoft sucks. There have been security flaws found in Linux with a fix issued and instead of posts saying "Linux sucks, here's yet another security patch I have to add!" they're praising the community for getting a fix out so much faster than Microsoft would have.

Re:Inaccurate

I would say two things: first off, Creating something like BIND is infinitely more difficult than something like MSIE-- MSIE has a huge number of disparate things it's expected to do, while BIND is in a certain manner less "complex", but all the things MSIE does are *simple* and it doesn't have to do them *efficiently*. Despite this BIND, at least from where i'm standing, seems to be doing *better* than MSIE. I mean, it may just be i'm not paying attention, but big BIND problems seem to come along every five months and big MSIE problems seem to come along every two or three.. and the MSIE problems seem a bit worse. The IMPORTANT thing, though, and this has been noted elsewhere in this same discussion, is that BIND is aimed at *professionals*-- people who are skilled, and people for whom constnatly watching the security news and speedily applying new patches to the machines they are charged with watching can be considered to be part of their *job*. MSIE/OE, meanwhile, is VERY heavily used by people who don't understand computers at all, people who just wnat to print things in wordperfect every so often and get e-mail every so often. MICROSOFT HAS AN OBLIGATION TO PROTECT THESE PEOPLE, microsoft has an obligation to not leave the defenseless with security vulnerabilities, microsoft has certain obligations to simple SAFETY that the people who write BIND do not. ANd MS is failing at it. Do you really think that the kind of person who is scared by computers to the point where they never ask "I wonder how i can delete these shortcut icons off my desktop?" Is going to *EVER* update their IE, or check microsoft.com for updates, or even be able to figure out what a service pack is?

As far as Wu-ftpd goes.. dude. Seriously. Use Proftpd. It's better anyway. :) With something like Wu, it gets to the point where if you don't like the security track record of a product you should consider just not *using* it.. hell, you even have alternatives to BIND. Microsoft should realize that people don't have too much alternative to using MSIE, realize that people aren't going to switch based on security, and make it their job to fix security as a result. Although i'd bet that they let security get so bad *because* they knew nobody would stop using MSIE because of it.

> If you want to make a constructive criticism, then you should have them rewrite the whole OS.

Not a bad idea. Here's a better one. Two words: CODE AUDITS.

(at the sound of the magical words "code audit", angelic voices are heard singing from the heavens.)

MS doesn't need to *rewrite* this stuff, not *really*, but initiating a large-scale security-oriented code audit of the entire text of their networking and web browser code is something that they could really stand to do, BEFORE they start thinking about windows xp or whatever. They certainly have the resources. How do you propose to get them the initiative? Cuz it's sure as hell not my problem :)

Re:Inaccurate

My apologies for being unclear. That comment was meant to refer to microsoft's *web browser* division, and microsoft's web brower division *only*. Yes, of course server OSes and server apps will have security issues from time to time. I don't expect them not to. The thing that leaves me a bit taken aback, though, is microsoft's tendencies to have security issues in a low-end *consumer-oriented* app like a web browser. WEB BROWSERS ARE NOT THE KIND OF THING WE SHOULD HAVE A SECURITY TRACK RECORD TO KEEP TRACK OF, and that was my only point.

YESS, it really kind of *is* an MS thing. Except for one vague memory or so of an incident involving a java hole, you just plain don't *SEE* security holes popping up with Netscape or Opera or Omniweb or really ANY browser except MSIE! *Netscape* got security right, and their software was AWFUL! But that there should be THIS many instances of hardware-access-level vulnerabilities in something meant to display web pages.. just. blah. it blows my mind.

--mcc
it is late and i am spastic and bitter

Re:Inaccurate

> In short, I wish people would stop with the idiotic Microsoft bashing. All software has bugs. Let's fix it and move on.

The problem with this is that this isn't just a Well, Now It's Over And We Can All Get On With Our Lives type thing. If this were an isolated incident, "Move on" would be good advice indeed; however, Microsoft is developing a literal track record when it comes to security vulnerabilities. Security holes in MSIE, SERIOUS ones, seem to be cropping up on the order of once every couple of months;
i can think of at least four times since MSIE 4 that ways for attackers to affect the contents of an MSIE user's hard drive have been discovered, and i haven't even been watching it closely.
Are you really sure that "forgive and forget" is a good idea?? Do you honestly think that this isn't going to happen again? Do you honestly think if people let this issue rest-- and they will-- that microsoft is going to change its ways on its own? It certainly didn't the LAST couple of times this happened.

Keep in mind these are the people that you're supposed to be buying an attempted NETWORK OS (windows xp) from in a year or so, and they can't pull off security in a passive web browser. XP involves the passing around of remote executable code, doesn't it? Don't you think some SERIOUS pressure needs to be brought to bear on microsoft until they take steps to ensure that the security issues in their browsers are dealt with, COMPLETELY?

I am a Mac OS X user, so i am not *too* worried about this, but i do use MSIE from time to time, and so i for one am extremely alarmed with microsoft's nonchalance with security issues. Microsoft seems to have no interest to bring these "technologies" (activex, for example) that seem to be causing the problems to the macintosh platform, and the Macintosh port of IE shares no codebase with the windows version, so i am not directly threatened; however i still feel somewhat insecure with using MSIE.

Day In The Life Of Net Scam Artists

Day In The Life Of Net Scam Artists [slashdot.org]

CRIMINAL NO. 0
12:32 AM Some lamer just offered me $250 to write a one-day journal of my hacking. I brag that I can make $4,000 a day by stealing credit cards, but I'm still willing to spend several hours writing a journal for a meager $250. With that kind of incentive, you can be sure that none of this is made up. None of it. Trust me, I'll appeal to the media's maniacal demand for sensationalist hacker stories.
12:38 PM Found a cool new way to hack people. 31337. [microsoft.com]
12:39 AM Sent out a mass HTML email to hundreds of AOL Lusers with code to steal their passwords. The technical flaw only exploits Outlook Express users, but those Lamers are stupid enough that somehow it'll still work in their AOL mail programs.
12:40 AM Going to my girlfriend's house.
12:41 AM Back from girlfriend's.
1:14 AM Got 217,468.25 AOL logins already. Haha, those lamers are so stupid! I can steal all your passwords, America, and there's nothing you can do about it because I'm a scary hacker! ph34r me.
1:27 AM Ran a secret hacker script to extract credit card numbers. Bought $1,000,000,000 worth of cocaine from a secret hacker website at http://www.dea.gov/ [dea.gov]. The Feds will never be able to figure out my address, because I sent it to my mom, who's sleeping in her room down the hall. And my ISP will never give my name away - AOL doesn't do that kind of thing.
1:30 AM Realized its past my bedtime. Mommy's yelling at me to go to sleep. Remember, America, hackers can do anything! But send me your credit card number and I guarantee that you'll be safe from hackers.

(Score:-1, Corny)

Re:Day In The Life Of Net Scam Artists

. . . and he's still getting more than I am.

(This always is the point where the moderators finally get some pitty and moderate me up, only for someone in my school to see it and show everyone else =)

Re:Inaccurate

Come on now BIND, wu-ftpd, and even sendmail get bashed regularly on slashdot (and rightfully so especially BIND). It's because of all the bashing that BIND9 was re-written from scratch.

Don't you remember the recent thread about BIND? Whenever a major security breach is discovered it gets covered on slashdot why should MS be immune?

Re:Inaccurate

Well that's not what they testified to in court. Are you suggesting that the top brass on MS committed perjury?

Meanwhile, in related news..

For immediate release:

Foot-And-Mouth Believed To Be First Virus Unable To Spread Through Microsoft Outlook

Atlanta, Ga. (SatireWire.com)

Scientists at the Centers for Disease Control and Symantec's AntiVirus Research Center today confirmed that foot-and-mouth disease cannot be spread by Microsoft's Outlook email application, believed to be the first time the program has ever failed to propagate a major virus.

"Frankly, we've never heard of a virus that couldn't spread through Microsoft Outlook, so our findings were, to say the least, unexpected," said Clive Sarnow, director of the CDC's infectious disease unit.

The study was immediately hailed by British officials, who said it will save millions of pounds and thousands of man hours. "Up until now we have, quite naturally, assumed that both foot-and-mouth and mad cow were spread by Microsoft Outlook," said Nick Brown, Britain's Agriculture Minister. "By eliminating it, we can focus our resources elsewhere."

However, researchers in the Netherlands, where foot-and-mouth has recently appeared, said they are not yet prepared to disqualify Outlook, which has been the progenitor of viruses such as "I Love You," "Bubbleboy," "Anna Kournikova," and "Naked Wife," to name but a few.

Said Nils Overmars, director of the Molecular Virology Lab at Leiden University: "It's not that we don't trust the research, it's just that as scientists, we are trained to be skeptical of any finding that flies in the face of established truth. And this one flies in the face like a blind drunk sparrow."

Executives at Microsoft, meanwhile, were equally skeptical, insisting that Outlook's patented Virus Transfer Protocol (VTP) has proven virtually pervious to any virus. The company, however, will issue a free VTP patch if it turns out the application is not vulnerable to foot-and-mouth.

Such an admission would be embarrassing for the software giant, but Symantec virologist Ariel Kologne insisted that no one is more humiliated by the study than she is. "Only last week, I had a reporter ask if the foot-and-mouth virus spreads through Microsoft Outlook, and I told him, 'Doesn't everything?'" she recalled. "Who would've thought?"

Copyright © 2001, SatireWire

--

Re:IE's OS integration

I disagree with almost all of you. Having HTML-rendering code available as an API for all programs to invoke if needed is not a bad thing. The problem here is the crap that comes along with that, and the numero uno biggy is Active X.

When Active X was first announced, all security-minded folks heaved, sighed, and worried. "Download native code with full privs and it runs on my box?" Microsoft assured everyone that it wasn't a problem cause all code would be signed and you could limit what gets run on your box.

As history has shown, this promise has failed. We've had hacks exploiting weak Microsoft-supplied active X controls, Active X controls that come with Windows (and hence already installed) with problems that get exploited (hence no prompting), and bogus verisign certs that appear to come from Microsoft and problems revoking it. And finally, just plain stupid users who will press OK on any dialog box that comes there way...

So it's not the bundling of an HTML rendering engine that bothers me, it's the crap that comes with it.

BTW, on my windows boxen, I just set the option for active x code and scripting to "prompt" instead of enable or disable. It can be a pain at times, but unless I'm doing something like visiting the Windows update site, I usually deny any active x invokations on almost all web sites I visit.

Re:Windows sucks now, eh?

Ok, I did a fresh install of windows on a computer at work. Windows 98 first edition. I popped in the cd, the install ran, and in 30 minutes the computer booted and I went to the Windows Update site. Four downloads and two reboots later, I have a reasonably secure system with no known exploits. Full install, all fixes applied - less than an hour and a half.


This is a pretty useless argument. Atfer spending this amount of time with an install of Windows 98, adding the updates and rebooting a couple of times you have an OS installed. If I spent the same amount of time with a Red Hat 7 install and updates I have everything I need to get my work done. I have Emacs and and gcc andPERL and Apache and MySQL and OpenSSH and Abiword and Gnumeric and Netscape and Mutt, etc.

You have Windows, IE, Outlook Express and WordPad. Joy, just what the hell are you going to do with that?

You're comment about Windows being secure is true. On the other hand its' not like it does anything either. As soon as you install an FTP server, a web server, an RDBMS and a remote acces program you have the potential to get just as "owned" as any other OS.

What people are trying to say here is that making my email program execute code because I've got something showing in the preview pane is pretty damn dangerous. Yesterday, for the first time in my life, I recived an email that makes use of these fancy scripting features. Its' a piece of spam (which I signed up for) from the Ministry of sound with a link to their new TV ad and a little flash animation. Its' pretty cool but I'll live without it if that's the cost of not getting email that causes some trojan to be executed.

Re:Inaccurate

That is inaccurate. It's thanks to an object oriented operating system that we have this problem.

Not sure what OO has to do with it; the problem is a program that executes code recieved from the net without even asking. That's the problem. Let's hope KDE never does anything that silly.

--

--

Re:Hmm..

The way these things work is that whoever discovers the bug, if they are a white hats, sends a message to the software manufacturer. Usually it is of the form "Here's the bug, here's what it can do. You have XX days to issue a fix. After XX days I will post this to a security discussion alias with/without also posting the exploit".

The fact that the bug was reported today does not mean that that is when Microsoft found out about it.

I had a funny experience. I went to the website and downloaded and ran the patch but it gave me a message saying I did not need to install this update and exited. Anyone else have this happen?

Re:Not Suprising

I find it amusing that the worst purveyer of unprompted MS-bashing, Malda, is also the only editor who regularly admits to using Windows.

I find that quite understandable. People who don't deal with Windows on a regular basis generally don't have very strong feelings about it. This makes it easy (and fun) to maintain an attitude of casual scorn and contempt toward that particular festering pile. When one is forced to use Windows, however, one's attitude unfortunately degenerates into pulsating screaming hatred.

Re:Hmm..

Read the 'Caveats' section on this [microsoft.com] page.

Translation for Slashbots

Here's the translation for your average slashdotter

Originally posted: March 29, 2001

We would have told you earlier, but we were sharpening our throwing knives and trying to install "Unix" on our computers...

Summary
Who should read this bulletin: Customers using Microsoft® Internet Explorer.

Let's see... IF I were running IE, then the Attackers^tm would be fiercely attacking me now and I wouldn't be reading this right now... but the translation is:

Who should read this bulletin: any of the sheeple that we have convinced to use our (superior) product.

Impact of vulnerability: Run code of attacker's choice.

So basically, this lets someone malicious tell your computer what to do.

Recommendation: Customers using IE should install the patch immediately.

So basically, this lets someone malicious tell your computer what to do.

Re:Pet Peeve

Yet, they keep cranking out new writes of the same old horse with new bugs every couple of years to make $$$$$$$$$$$..

Windows has existed in its present forms for about five years. UNIX has been around for 25-30. BSD for 20. GNU for 15. Linux for 10.

Their operating systems boast a superior UI, an extensive object-oriented architecture complete with distributed RMI, and run on a greater variety of hardware than any other system, including GNU/Linux.

NT has only taken market share from UNIX. (Which, as most of you are too ignorant to know, was a Big Bad Corporate OS in the 80s. Just like IBM was evil in the 80s. How things change... a few open-source UNIX-ripoffs later, and UNIX is considered "grassroots" by many people here, just like IBM is now seen in a similar light for their "heartfelt" support of Linux.)

They've also completely taken over the desktop market. Of course the roots of this monopoly are 20 years old, but they've only had a truly desirable product for about five.

I like NT. I wouldn't let it in my server room, but it makes a damn good workstation OS. I like its interface best of all I've tried. It has excellent hardware and application support. In addition to being a great development environment, it plays games and DVDs. And my UNIX boxes are never farther away than a telnet session.

MSFT has perhaps produced a greater volume of useful code in five years than anyone else ever has, and NT is still four times younger than UNIX. So I'm willing to forgive some bugs.

--

No problems here...

I'm posting this from IE 5.5 on NT5 and ØÄȦ®$ûüè h4w h4w! I 0wn 4ll j00r b0X0rz!! ØÄȦ®$ûüève experienced absolutely no problems. Furthermore,ØÄȦ®$ûüè w0w d00d 1 4m 50 3l337 ØÄȦ®$ûüèsecurity issues on the web today. What about Netscape 6? For instance, NetØÄȦ®$ûüè m$ c4n suX0rz my c0ckz!!! llolololol ØÄȦ®$ûüèPerhaps Slashdot is blowing this out of proportion.

--

Web browsers belong in a jail

Web browsers should be running in a partition with very few privileges. They should be able to talk to the net, read their own code and resource files, write their own windows, see mouse and keyboard events in their own windows, and that's all.

A good exercise would be to take NSA Linux and Mozilla and make them work under such restrictions. This might include managing the cache in a separate process with slightly different privileges. The cache manager needs to read and write the cache, but should never interpret the content. (Think of the cache as being managed by a built-in proxy server, while the main browser does no cacheing.) Configuration also needs to be done by a separate program and process, one that gets its input from the user, can't get input from the net, and can write the preferences files. This gets all the code that can write permanent files out of the main part of the browser.

Done this way, it doesn't matter if the browser code has security holes because the browser code is not trusted. The mandatory security protections of the OS prevent it from doing anything. This is the right way to do it, and the only one that will work.

New read and execute features in IE 5.5

Combine this new exploit with this old one [zdnet.co.uk] that lets you read any file off someone's harddrive and I think Microsoft might be able to market these as .NET features.

-gerbik

Joys of non-competition

The problem with this is that this isn't just a Well, Now It's Over And We Can All Get On With Our Lives type thing. If this were an isolated incident, "Move on" would be good advice indeed; however, Microsoft is developing a literal track record when it comes to security vulnerabilities. Security holes in MSIE, SERIOUS ones, seem to be cropping up on the order of once every couple of months;

The problem is that we cannot move on. There is no alternative. We have to use whatever Microsoft gives us and smile while they shaft us. IMHO that's what the anti-trust trial is really all about and not whether or not someone's ability to "innovate" is being stifled by goverment regulations. If their product was just so good that everyone chose it out of their free will, people would move on to competitors when something like this happens.

Netscape? Don't make me laugh. Mozilla? I like it, but it still crashes within 15 minutes.

Well okay, fair complait re : security of system

But to be honest, a system is only as secure as the user or the admin sitting at it. Uneducated users are the most dangerous security hole there is. You can have the best security, the lest buggy code, but if you have a tool using the system you may as well go flush your hard worked over secuirty systems down the drain. Okay, that is expanding on the truth, but it's a frustration I feel every day.

I know we will see dozens of anti M$ bites, but really, who are we kidding? Security is not an easy thing and everyone gets it wrong at some point. I had a supposably secure Sun OS 0wnd by a script kiddie all because the damn admin wanted telnet open. What can you do if people wont take security seriously? I run a IIS webserver due to an app needing it and it has been attacked - it has stood up because I keep up with the lastest problems. You just have to do it.

You also have to realise security is tradeoff. I can guarenttee I could build you a Linux server so tight only the true elite would root it.... but how usuble will it be? Not very. The problem demonstrated here is that very tradeoff, MS wants usabliity, so do the unwashed masses. Makes it easy to exploit. Tighten it up and the unwashed wonder why they cant download their porn without some popup telling them that this download or link could be malicious and to proceed after the seven other warning they would get.

What's the solution in the end? Geeks like us educate the Great Unwashed maybe, I dont know. Certainly a different security paradigm than what Microsoft has.

Re:Hmm..

> Does anyone really think that the internet would be growing this fast if it weren't for MS.

You mean, if Microsoft did not consider Internet un-important and tried to promote their own non-internet MSN service instead in Windows 95 A ?

You need to stop beleiving the bullshit redmond throws at you. Microsoft have been surprised by internet, under-estimated the phenomenon, and tried (and failed) to control it. Now they want to make you believe that credit is due, while they did their best to slow it down.

The only credit Microsoft have is the very impressive turnaround they did in 1996-98. I would never have beleived that such a big company could react that fast.

Cheers,

--fred

Re:Inaccurate

> OK. My apologies. :)

OK. Let's say I remove this comment about the placement of your head. :-)

You know, I just commented on your first sentence, and I must admit nor having read the rest of your post. So much of intellectual honesty. You were such an easy target...

> I would go into a long rant here about my personal belief that unweildiness of Mozilla

That would be interesting. I find mozilla code awful, and beleive that the original sin was to make 'dynamic' code with C++. When I look at the code, I pity them, as they took great amount of pain to code in C++ things that would have been natural with Objective-C. Of course, I am biased on this :-)

Cheers,

--fred

Re:Inaccurate

> first off, Creating something like BIND is infinitely more difficult than something like MSIE--

Gently put your head out of your ass. You obviously don't know what you are talking about. Bind is a two-banana hack compared to MSIE. MSIE have about the same complexity as Mozilla. Ever looked at mozilla source code ? Ever tried to build it ? Now take a look at BIND source code. Build it. Draw you conclusion in term of complexity.

A BIND bug is very serious because it can compromise huge segments of the network. But people that run BIND know what they are doing (or should know). And there are alternatives.

A MSIE bug is very serious because it can compromise a huge number of individual hosts. Furthermore, people don't choose to run MSIE, they have to, or they just don't know that they are running it. And you can't remove MSIE from a windows machine.

So, IMNSHO, a MSIE bug is more serious than a BIND bug.

Cheers,

--fred

Re:Not Suprising

Then again, it wasn't CmdrTaco who posted this, but we're making strides.

I'm impressed with the comments I've seen moderated up so far. Usually stories like this are flooded with comments like "Microsoft sux0rz, this is why Open Source is better!"

Isn't it funny that when a bug is discovered in Microsoft software, it's a victory for Open Source, and when a bug is discovered in Open Source software, it's a victory for Open Source?

Re:Pet Peeve

You are delusional [google.com].

Windows has existed in its present forms for about five years.

I presume you are judging the OS by the GUI. Windows NT version 3.1 was released on July 17, 1993. The GUI was different, but the architecure was there, care of David Cutler.

That was the release date. Microsoft recruited David Cutler in 1988, well before Linus started [clug.org].

Superior UI? Look at the quality of window managers. I'm sorry, but Sawfish, Window Maker and Enlightenment all kick Windows' butt when it comes to utility and control. And themability makes them look good too.

OO Architecture? Um, I think you'll find Gnome and KDE are riddled with OO.

Greater variety of hardware? NT had x86, Alpha [alphalinux.org], MIPS [lena.fnet.fr], even PowerPC [linuxppc.org], but they're all unsupported now. The free OS's easily wipe microsoft's peachy behind with their portability and the number of actual ports. All of those above plus loads more [linux.org.uk].

They've had the desktop market since the PC clone became popular. There wasn't a real desktop market before this. They didn't take that from anyone.

Yes, NT is taking share from Unix. But the free OS's, chiefly Linux, along with the rise of the Internet, is challenging this.

MSFT has perhaps produced a greater volume of useful code in five years than anyone else ever has
No, they just keep re-releasing the same code with new bells and whistles. The bulk of the code has been made by other companies, later bought up by MS.

Perhaps you can tell I do not like MS. I grew up with MS and I used to love their products. I still like the style of their early manuals (when you got them). But maturity and familiarity have given me perspective. I think you need some too.

Re:Not Suprising

No, the shocker is that a Microsoft bug was posted on Slashdot with the (entirely unbiased comment I might add) phrase "patch now, patch now". For once, Slashdot is caring about those who view their site from the other side of the fence. Then again, it wasn't CmdrTaco who posted this, but we're making strides.

Re:Inaccurate

You are really off base.

Because of this system, every PC out there built within the last 6 years has a copy of IE on it.>
Wrong! I've built serveral boxes, and none of them have IE on it. They run FreeBSD. Futhermore, I have a single box that I built that doesnt have IE on it at all, and it even runs Win98.

This is (of course) due to the fact that MS can look at the f&%*ing kernal!
Its their goddamn kernel! They wrote it, they own it! But futhermore, IE is faster because the libraries that make it work are pre-loaded when the system boots, because the executable is smaller because more of the functions are in those libraries.

When the very functionality of the system is endangered and the user (or in this case the users data) is laied naked before the world that's a time for a RECALL OF THE PRODUCT
MS does this. According to them, they recommend all users install Critical Update Notification for Windows. This is akin to a product recall - when a serious bug comes up they update the Critical Notification records, and everyone running it recieves a patch.

Why is software any different than any other product?
Probably because most products are tangible, hard and fast goods. MSIE is an intangible product. You can't buy it shrink-wrapped at the local Staples. Its integrated into the OS, or downloaded via the web. What type of recall do you think is viable? Seriously? Do you want users to copy IE on a disk and mail it back to MS? Do you want them to un-download the program? Can they unpay the price of the product?

When it's hazardous it is the responcibility of the company to let the user know.
How could they if they didnt know about it? Are they supposed to be psychic? Are you suggesting they've known about it for months and done nothing?

Inaccurate

Oh, and thanks to Microsoft innovation - you may remember this from the trial - the browser is integrated with the OS, [etc, etc]

That is inaccurate. It's thanks to an object oriented operating system that we have this problem. Ever heard of the term "reuse"? It's a feature, not a bug, that you can reuse components in various applications without having to rewrite them.

KDE would have exactly this flaw if the Konquerer component had this flaw and an e-mail reader used the component.

In short, I wish people would stop with the idiotic Microsoft bashing. All software has bugs. Let's fix it and move on.

--

SP2

For those of us not so enlightened as to use netscape or mozilla, this means another trip to the microsoft website.

Special note of warning, the website has been more messed up than usual over the past few days, especially in trying to download the 5.01 sp2. I'm still trying to find the full package in one compressed file so that some folks can save the bandwidth.

My opinion: reports and pr to the contrary, the bit and piece auto install over the net is not more convenient. Especially when you have poeple mobbing sites for an update.

But if you are here reading this, you probably know this already.

Check out the Vinny the Vampire [clik.to] comic strip

This has happened on many browsers before.

I don't know what the big deal is here. This has happened to many other browsers before, including older versions of IE. With new standards, scripting and virtual machine technologies being implemented in browsers continually, it is expected. It is a simple browser vulnerability, and that is all.

This is not new, if you read Bugtraq [security-focus.com], or even Georgi Guninski's page [guninski.com], you will see this and many other exploits are a common occurance in many browsers. Even browsers that handle only plain html like Lynx have been proven vulnerable at times.

Since IE3, many vulnerabilities like this have popped up in MS's browser. IE3 was far worse, as both the Windows and Macintosh platform could both be explotited in terrible ways. Also, we can't forget the famous Netscape Brown Orifice [brumleve.com] exploit, which Netscape admittedly [netscape.com] couldn't even fix in their 4.x series of browsers. I'm sure there are some fine exploits waiting to be found in the lesser used browsers too, but they are just far less reviewed by the security community.

Now I don't think its right that such vulnerabilities exist, but bugs will always be present in software. Internet Explorer just happens to use a lot of mixed technologies and therefore there are more ways for it to be exploited. This is nothing more than someone exploiting a vulnerable version of BIND or RPC. The only difference I find here is that Microsoft is involved, and thus makes a good sensationalist Slashdot target.

I hope this is enough of a definition for you.

Below is the link to the explaination of said hack, that includes 'source' et al.

http://lists.nat.bg/~joro/webctrl2.html

and the URL from ZDNet that linked to it.

http://www.zdnet.co.uk/news/2000/35/ns-17763.htm l

Demonstration is available at: http://www.nat.bg/~joro/webctrl1.html

Workaround: Disable Active Scripting

Damn you Microsoft!

csh-2.04# explorer
csh: explorer: command not found

oops... I'm not on Windows...

April Fools is coming!@!

Macroshaft Security Bulletin (MS01-069)

Patch Available to Improve Packet Pigeon Performance

Originally Posted: October 22, 1999

Summary
MacroShaft has released a patch to ensure delivery of packets via Packet Pigeon birds. This is long overdue and is a must secure vulnerability on all MacroTrash products.

Frequently asked questions regarding this vulnerability will always be laughed at MacroShaft [macroshaft.org] and AntiOffline [antioffline.com]

Issue

The Packet Pigeons used in large cities were sometimes affected by those in the geriatric stages of their lives, as these 60+ year olds fed Packet Pigeons en route to their destinations causing a denial of service.

Affected Software Versions

• MacroShaft Windoze NV 4.0 Crashstation
  
• MacroShaft Windoze NV 4.0 Server
  
• MacroShaft Windoze NV 4.0 Server, Enterprise Crash Edition
  
• MacroShaft Windoze NV 4.0 Server, Terminally Ill Edition
  
  

Patch Availability

• x86:
  http://download.some.0-day.warez.com/at/some/other /site
  
• Alpha:
  http://download.some.0-day.exe.files.com/else/wher e
  
  

(NOTE: MacroShaft really cares about it luzers.)

More Information
Please see the following references for more information related to this issue.

• MacroShaft Security Bulletin: Frequently Asked Questions,

http://www.MacroShaft.org/cgi-bin/display?=%2edev% 2enull

• MacroShaft article MS.Kills [antioffline.com], How Microshit products may be actually killing its users, (Note: Read our new book "Hax0ring sluts for fun and profit.")
  
• HURT Advisory NY-69.4u, Topic: Campbells soup set to release new product,
  http://www.antioffline.com/scriptkiddiesoup.html

Microsoft Insecurity Advisor web site, http://www.wiretrip.net

Obtaining Support on this Issue
This is a fully supported patch. Information on contacting MacroShaft Technical Support is available at http://support.macroshaft.and.all.of-its-h0es.com

Acknowledgments
MacroShaft acknowledges deran9ed/sil of AntiOffline for bringing this issue to our attention and we will up his p0rn quota to 2 gigs.

Revisions

• October 22, 1999: Bulletin Created.

THE INFORMATION PROVIDED IN THE MACROSHAFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MACROSHAFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, OR EVEN EXORTED INTO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MACROSHAFT CORPORATION OR ITS WHORES BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES TO YOUR PORN DIRECTORIES NOR PACKET PIGEONS, AND POKEMON, EVEN IF MACROSHAFT CORPORATION OR ITS H0ES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. PEOPLE OF GERIATRIC AGE SHOULD HAVE THEIR LICENSES REVOKE AND THROWN INTO LABS TO SERVE AS LAB MICE. AND IF YOU ACTUALLY READ ALL OF THIS THEN YOU MUST BE AS BORED AS WE WERE. ANTIOFFLINE RESERVES THE EXCLUSIVE RIGHT TO POKE FUN AT YOU, WITHOUT INDEMNIFICATION, OR GRIEVANCE TO YOUR PATHETIC COMPLAINTS. SOMEONE SHOW ME WHERE THE CAPS LOCK KEY IS!@!

(c) 2001 AntiOffline Corporation. All rights stolen. Terms of Use.

You have received this e-mail bulletin as a result of your moronic use of our Products. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to WE-PAY-NO-ATTENTION-TO-YOUR-MAIL@MACROSHAFT.ORG The subject line and message body are not used in processing the request, and can be anything you like.

For more information on the MacroShaft Security Notification Service please visit http://www.packetstorm.securify.com For security-related information. For MacroShaft products, please visit the MacroShaft web site at http://www.macroshaft.org/ more advisories like this can be found here [antioffline.com]

previous versions

"Microsoft tested IE 5.01 and IE 5.5 to assess whether they are affected by this vulnerability. Previous versions are no longer supported and may or may not be affected by this vulnerability." You are on your own.