Forgot your password?
typodupeerror

Code Posted For New IE Exploit 123

Posted by kdawson
from the not-quite-zero-day dept.
PC World is reporting that two days ago hackers posted code for a new vulnerability in Internet Explorer that could allow drive-by takeover of a vulnerable PC. Security companies say that no exploits using the "daxctle" vulnerability have yet been found in the wild, but they are taking the new threat seriously. Symantec calls the bug "critical" and Secunia rates it highly critical, the most severe rating. The hackers who posted the sample code, xsec.org, refer to it as a "0day" exploit. The article quotes another security expert who calls this label "a stretch." Update: 09/17 18:00 GMT by C :Fixed link to XSec. Thanks for pointing that one out, folks.
This discussion has been archived. No new comments can be posted.

Code Posted For New IE Exploit

Comments Filter:
  • by Anonymous Coward on Sunday September 17, 2006 @08:08AM (#16124212)
    That's xsec.org [xsec.org] not xsec.com
  • Moo (Score:4, Insightful)

    by Chacham (981) on Sunday September 17, 2006 @08:22AM (#16124237) Homepage Journal
    Another ActiveX exploit. *yawn*

    If you want to be safe in IE, turn off ActiveX from untrusted sites. Hasn't this been known since day one?

    News would be if ActiveX was tested and found to be safe.

    • Re: (Score:1, Insightful)

      by cubicledrone (681598)
      Oh noes! Don't criticize teh billywindows! The PC Magazine fanzorz will moderate troll troll troll.

      Ah yes. PC Magazine. Where Macs don't exist and "power-hungry" appears in every third headline.

      • Well, to be fair, PCs only exist as limp parodies of the real thing in MacWorld and other Mac-only publications.
    • "if you want to be safe in IE, turn off ActiveX from untrusted sites"

      How do you know what is or is not an untrusted site.

      How in any way is that comment "insightful".
      • by SLi (132609) on Sunday September 17, 2006 @10:11AM (#16124539)
        Huh? If you don't have any specific reason to trust it, it's untrusted. I would have thunk that's Internet 101.
      • by Tim C (15259)
        How do you know what is or is not an untrusted site.

        That's easy. If you have to ask yourself "do I trust this site?" then the answer is no.
      • by jonadab (583620)
        All sites by default are untrusted sites. The system administrator can add specific sites (e.g., the corporate intranet) as trusted, and then those sites can use ActiveX, but you should NOT have ActiveX enabled for random sites on the internet. That would be very unsafe.
    • There has bee reports about trusted sites being hacked and spyware/viruses being planted on them. So there really isn't a thing called "trusted site". So if you want to be safe in IE, switch to Linux. If you want to be almost safe in IE, don't use it. I recommend Firefox instead.
      • Re: (Score:2, Informative)

        by trezor (555230)

        Switch to Linux and watch all my applications which I need to do my job fail. Yes, that sounds like a plan. For the record I'm a .NET developer who needs Visual Studio and SQL Server to do my work.

        You may find it hard to believe but Windows is a pretty damn secure OS, given that the one using it knows what he's doing. I'm not using MSIE, I'm not using Windows Media Player. And I have yet to have my machine BSOD, get infected with spyware/virus nor have to reinstall it periodically because it's unrespons

        • I'm sorry, but you're wrong. Linux is much more secure for most users. If you can't install the OS, and use it, you won't have any security problems.
          • by NoTheory (580275)
            yes, and you can reduce your risk of car accidents by moving into the middle of the sahara desert. The statement may be true, but it's not very useful. As for grandparent, so you develop w/ .NET, that's great for you too. I believe that VS is in the WINE list of apps. You've picked your platform, but that doesn't mean that you've got rock-solid justification for it. Ultimately the platform you pick is about your laziness, and what you want to be lazy about.
            • Strawman!! Strawman!!

              Sorry... I got carried away there. Everyone else on Slashdot misuses that term. I didn't want to feel left out.
        • I have yet to have my machine BSOD, get infected with spyware/virus nor have to reinstall it periodically because it's unresponsive. My system is working excellently and does what I want it to do

          That's great. But what if you want to use it on day two?
        • Me saying that Windows, the worlds most used, sold and deployed user-focused OS, can be used relatively securely, and that people should choose the tool/OS that does the job that needs doing best, I get modded troll, while a Linux fanboy claiming that Linux solves all problems in the world, regardless of what the actual job at hand is (without any actual backing ofcourse) doesn't.

          Great job, mods! Now you can mod this offtopic, trolling flamebait. I'm sure that the burning karma will fit right into your

    • Re: (Score:3, Interesting)

      by vhogemann (797994)
      A better alternative would be not use IE at all.

      I know most users just don't care, or don't know better. But what about developers and companies? These should be treating IE like a plague, and using it only when there's no other suitable alternatives, on a sandboxed environment.

      I used to care about IE compatibility when I designed my pages... but not anymore. I realized that most business already expect some kind of requirements for the software you sell or build for them, mine is a modern browser, with dec
      • by Chacham (981)
        ActiveX should be dead and burried by now.

        Perhaps you mean ActiveX on untrusted sites. On an intranet especially, or certain trusted sites, it can be invaluable.
      • by x2A (858210)
        ...and instead use one of the many other browsers that never has any bugs 'n exploits, like erm... errr... um... anyway, yeah, then you'd be totally secure!

    • That wouldn't be news, it would be fud :)
    • by elronxenu (117773) on Sunday September 17, 2006 @08:52AM (#16124302) Homepage
      Perhaps because the first bug you mentioned was posted 4 months ago, you can resolve it by upgrading your kernel, and almost nobody would run an application chrooted under an SMBFS network filesystem anyway.

      The second bug is only a DOS, it won't give an attacker sweet r00t permissions. And it's also 4 months old news.

      The third bug doesn't result in any privilege escalation because the kextload program isn't setuid, you'd need to find some other vulnerability in a program which uses kextload.

      And the fourth bug is a month old already, hasn't been proven to be exploitable (more likely to simply crash firefox), and is easily resolved by upgrading firefox.

  • Since this was dated September 17, make that four days ago, not two.

    Check the date on the xsec.org page referred to, daxctle2.c [xsec.org]. milw0rm 2358 [milw0rm.org] was a re-publication of this, also posted up on 09/13/2006. Republication happened at other exploit advisory sites as well, such as the SecuriTeam(TM) site, where, for some strange reason, the exploit was published twice, redundantly.

    The formal vulnerability advisories SA21910 [secunia.com] and FrSIRT/ADV-2006-3593 [frsirt.com], from Secunia and FrSIRT respectively, posted on 09/14/2006
    • by RAMMS+EIN (578166)
      ``the exploit was published twice, redundantly''

      And you are repeating yourself, twice, redundantly, saying the same thing multiple times without adding new information. ;-)
    • Assuming, of course, that one considers it wise to use MSIE at all, given a choice. But PHBs from coast to coast have left many millions of cube inmates with exactly that: no choice.

      Many of us cube inmates use IE as required internaly as required. On break, we re-boot into a live Linex CD and are unable to log into the corp domain, but happly point firefox at the corp autoproxy and surf away.
      It is safe for the corp as nothing is saved to disk. I love Ubuntu for this.
  • Firefox 1.5.07? (Score:1, Interesting)

    by jiushao (898575)
    Considering that Firefox is the more common browser on Slashdot, how about doing a story about Firefox 1.5.07 fixing four separate critical heap corruption exploits and an honest to god RSA signature spoofing exploit? These stories about IE exploits comes off as pure Microsoft-hate masturbation.
    • Re: (Score:3, Interesting)

      by makomk (752139)
      Considering that Firefox is the more common browser on Slashdot, how about doing a story about Firefox 1.5.07 fixing four separate critical heap corruption exploits and an honest to god RSA signature spoofing exploit?

      Key word: fixing. As far as I can tell, this security hole is currently unpatched.
      • by jiushao (898575)
        Granted, now they are fixed, but the exploits were known for at least several days before the update was made available (and another few days before the automatic updates picks up on it). Similiarly we can probably expect a Microsoft patch within a week (as has been the typical delay for more critical problems for some time, granted, the WMF exploit took 9 days, but that unfortunately happened during the holidays).
    • Re:Firefox 1.5.07? (Score:4, Insightful)

      by Pecisk (688001) on Sunday September 17, 2006 @08:52AM (#16124301)
      Propably because there is code in the wild for this exploit and bug itself is still unfixed?
      • Re: (Score:3, Insightful)

        by RonnyJ (651856)
        That's contrary to what the second line in the summary says, though you've still been modded up despite posting no evidence to back your claim up.

        Security companies say that no exploits using the "daxctle" vulnerability have yet been found in the wild

    • by Vexorian (959249)

      So you are saying that just to avoid people like you to call slashdot a ms-hate central, slashdot should avoid to publish an story about a new IE exploit even though it is news for nerds and stuff that matters?

      Boy , you must accept that this news item wasn't biased, it didn't come with the standard "It seems that MS screwed it again" nor any other POV , and the exploit does exist. So why get so offended?"

      • by RonnyJ (651856)
        The presence of this news item doesn't show bias.

        However, I would suggest that the lack of news items regarding security flaws in Firefox does show bias.
      • No, I think he is saying that articles like this shouldn't be of much interest to the Slashdot community, since we're not stuck using IE. All these topics are for is to poke fun at Microsoft.

        I don't agree that this is the only reason the articles are published (for one thing, Slashdot is stacked with people who claim to be OSS-advocates who are probably browsing the site on their Mom's computer running Win Me and they get sent to their room if they install anything they downloaded on it).

    • by rs232 (849320)
      Slashdot has done stories on bugs in Firefox. See ..

      Slashdot | 611 Defects, 71 Vulnerabilities Found In Firefox [slashdot.org]

      Firefox Analyzed for Bugs by Software [slashdot.org]

      Spyware Disguises Itself as Firefox Extension [slashdot.org]

      I'v also noticed how the same kind of comments from the Winpologists get modded up very quickly.

      was Re:Firefox 1.5.07?
      • by jiushao (898575)
        There is no apologizing for exploits, it is bad whoever has them. On the other hand the nature of the last round of exploits in Firefox is rather really interesting, and as such newsworthy. The cryptographic signature exploit especially warrants a rather interesting technical discussion.
        • by rs232 (849320)
          Yea, "On the other hand .." lets not talk about bugs in IEXPlorer.
        • On the other hand the nature of the last round of exploits in Firefox is rather really interesting, and as such newsworthy. The cryptographic signature exploit especially warrants a rather interesting technical discussion.

          If you are interested in the work on RSA signatures, check out this OpenPGP posting [imc.org]. The chances are that there are other RSA signature implementations out there that are vulnerable to this sort of subversion and it will be interesting to see what other products actually publish fixes an

    • Re:Firefox 1.5.07? (Score:5, Insightful)

      by Wylfing (144940) <brian AT wylfing DOT net> on Sunday September 17, 2006 @09:34AM (#16124416) Homepage Journal

      Considering that Firefox is the more common browser on Slashdot, how about doing a story about Firefox 1.5.07 fixing four separate critical heap corruption exploits and an honest to god RSA signature spoofing exploit? These stories about IE exploits comes off as pure Microsoft-hate masturbation.

      OK, smarty, I will explain the difference to you. On one hand we have Firefox, which is a piece of software that is free in both senses, and you can use it, or not use it, or delete from your system, or whatever you want. On the other hand we have Internet Explorer, which is forced upon you via "leveraging," you cannot remove, and you must use because of contrived tie-ins to fundamental system functions.

      If there is an exploit for Firefox, I can shrug my shoulders and use any of a dozen other browsers to look at web pages until it gets fixed. Or I can choose to continue using Firefox anyway, despite the risk. It's my choice. However, if there is an exploit in Internet Explorer, I am just plain screwed. I can't switch the goddamn thing off or remove it. Hell, there are plenty of applications and services that will gleefully launch IE of their own accord and start loading internets from God knows where, and there's no way for me to stop it. Because of Microsoft's predatory practices, I have no choice in the matter (except to abandon Windows altogether, which is also not an option -- see how all my choices have been removed?). You're damn right people are a lot more upset when exploits turn up in IE. We are required to suffer the fallout from them.

      • by RonnyJ (651856)
        You didn't actually address anything of the issue raised about Slashdot covering IE security issues more than Firefox issues, instead you went off on a wild tangent about how IE is integrated into the system.

        Sure, you can talk all you like about Firefox and other browsers being optional, etc., but that's not the issue being raised.
        • Someone else already mentioned that Firefox bugs actually get *fixed*, and often don't have exploits available until after they're disclosed.

          This bug is with a required piece of system software that you can't turn off, *and* it's not fixed yet, *and* there is a working exploit available. If you can think of other similar situations that aren't reported, please, feel free to submit them. Otherwise, your apples don't belong in this orange tree.
        • by ultranova (717540)

          You didn't actually address anything of the issue raised about Slashdot covering IE security issues more than Firefox issues, instead you went off on a wild tangent about how IE is integrated into the system.

          Slashdot covers IE security issues more often than Firefox security issues because IE gets new exploits much more often than Firefox, and since IE is used in a lot more machines than Firefox, IE security issues have far more potential for destruction than Firefox security issues, making them more ne

      • by suv4x4 (956391)
        If there is an exploit for Firefox, I can shrug my shoulders and use any of a dozen other browsers to look at web pages until it gets fixed. Or I can choose to continue using Firefox anyway, despite the risk. It's my choice. However, if there is an exploit in Internet Explorer, I am just plain screwed. I can't switch the goddamn thing off or remove it.

        I'm getting tired of explainint this, but here we go again: do you notice the shiny E on your desktop? This is IE. Now, if you're thinking of double clicking
      • I don't know. I've been running Windows with Internet Explorer ever since I was playing with dolls and I've never had my system compromised by any browser exploit. I think all the people who defend Firefox and Linux by saying "this is pure fud" are just as likely to spew their own "fud".
    • Considering that Firefox is the more common browser on Slashdot, how about doing a story about Firefox 1.5.07 fixing four separate critical heap corruption exploits and an honest to god RSA signature spoofing exploit? These stories about IE exploits comes off as pure Microsoft-hate masturbation.

      I don't know, perhaps because they were fixed??
      • by jiushao (898575)
        Sure, after a week of them being public knowledge (a few days for the fix to turn into a release, another few for the release to get out the door), which, coincidentally, is largely the same turnaround that Microsoft has had on serious flaws as of late.
    • by isorox (205688)
      Considering that Firefox is the more common browser on Slashdot, how about doing a story about Firefox 1.5.07 fixing four separate critical...

      Because the first I, and many or most firefox users, heard about the bugs, was when Firefox told me that a bug fix was waiting to be installed. By the time I got to slashdot, it wasn't news, or a threat.
  • by wfberg (24378) on Sunday September 17, 2006 @08:50AM (#16124296)
    The reason it's not a 0day exploit is because some other dude already discovered the vulnerability, but didn't disclose it to the public? And that second guy is sitting on another 3 or 4 vulnerabilities?

    I'm sorry, what's the definition of 0day exploit these days? If not exploit code for which there is no patch available, then what?

    Can we now use "responsible disclosure" to argue away the fact that actual computer systems are at risk of being exploited right here and now, by saying "yeah, well, you got rooted and all, but we knew about that bug, so it doesn't count, even though we don't have a patch yet."?

    Can we now take comments that the programmers left in the code ("// does this work?" "/* coded while druk */" "//BUGBUG") as an excuse to completely ignore actual vulnerabilities?

    And hey, if TWO researches come up with this vulnerability seemingly independently, what are the chances of the exploit already circulating in the black hat community? Close to 100%?

    By my definition you've got your negative-day and your zero-day exploits. Negative-day exploits; no patch yet. Zero-day; the patch has just been issued, so might as well give your exploit to scriptkiddies and botnet operators to use on the systems that don't patch early/often enough. Obviously, a negative-day exploit usually isn't going to be used on a large scale, because your average blackhatter wants to keep it in his toolkit to attack well-patched systems; after all, it's what gives him (and his leet skillz) an edge. Once patchday arrives, you might as well give it to some noobs, because they might be interested in unpatched targets, while a leet blackhatter is not.

    So no, it's not a "stretch" to call it 0day. It's negative day, even.
    • by n0-0p (325773)
      I think your definition of zero day is ops-centric, and not security-centric. In this post [slashdot.org] I give the generally accepted definition in the security community, which agrees with Moore's statement. To summarize, the security community only uses 0-day to refer to undisclosed vulnerabilities, and it does not address patch lag.
      • by wfberg (24378)
        Undisclosed to whom? The second guy seemed to be sitting on the vulnerability. He might've disclosed to Microsoft, but has the public learned of this vulnerability before? If not, they can't be taking any precautions.
        • by n0-0p (325773)
          I assumed the qualifier was understood; I meant publicly disclosed, not just disclosed to the vendor. Also, I'm not sure if you're familiar with how disclosure works, but it's not in Moore's best interests reveal that he's sitting on vulnerabilities unless he intends to disclose them soon. So he may be practicing responsible disclosure and allowing the vendor a reasonable amount of time to complete a patch. Or he may have other reasons for waiting.

          Security disclosure in general is a pretty complicated ga
          • by wfberg (24378)
            I assumed the qualifier was understood; I meant publicly disclosed, not just disclosed to the vendor. Also, I'm not sure if you're familiar with how disclosure works, but it's not in Moore's best interests reveal that he's sitting on vulnerabilities unless he intends to disclose them soon.

            In this case, it seems like disclosure isn't working - particularly "responsible" disclosure. Otherwise no one would be reporting vulnerabilities that others *claim* are already known (by whom? not the guy claiming the 0da
    • by edxwelch (600979)
      You're right it *is* a zero day exploit. There have been quite a lot of them reciently, but they haven't done much damage because they depend on the user to navigate to a malicious web site with IE and activeX switched on.
      What would really be a lot of fun is a Blaster-type zero day worm.
      (If you remember blaster only required the user to connect to the internet to be infected)
    • Re: (Score:2, Informative)

      by spinja (994674)
      The reason I don't consider it "0day" is that a public tool exists that will discover this bug in its default configuration (AxMan). Anyone who took the time could run the tool, discover the bug, and write the exploit. The tool was released on August 1st and this particular bug was reported to Microsoft in late July. Since all of this information was *widely* publicized at the time of release ( a couple dozen articles on AxMan [blogspot.com] ), I have hard time considering any of the bugs it turns up "0day" in the normal
  • Does not affect IE7 (Score:4, Interesting)

    by I'm Don Giovanni (598558) on Sunday September 17, 2006 @09:12AM (#16124349)
    This does not affect IE7:
    http://blogs.msdn.com/ie/archive/2006/09/15/756736 .aspx [msdn.com]

    (Just for edification. ;-))
    • by rs232 (849320)
      Yea, by disabling ActiveX and removing Direct Animation. But does that actually fix the defects in the controls themselves.
    • I tried a bunch of ActiveX vulnerabilities for IE6 in IE7. Some didn't even work in IE6 (probably because I didn't have Office or some other MS ActiveX controls). Only 2 out of 15-20 worked in IE7.
    • by Psykechan (255694) on Sunday September 17, 2006 @10:54AM (#16124680)
      Your link points out that IE7 is vulnerable but it will prompt you to run the ActiveX control before hosing your system. From the average user's point of view, they get a message asking to run something created and signed by Microsoft for the page to load. Tell me how many average users, even the relatively computer saavy, will allow the control to run?

      Throwing a constant barrage of OS/browser security pop-ups on the screen does not make it secure. Making it so that at exploitable control can be completely removed and not just "effectively removed" from the system helps make the system more secure but this is just a workaround. If the control was designed to be able to grant system level privileges to a web page than it's time to go back to the proverbial drawing board.

      If it wasn't designed that way, then patch it when you first hear about it over a month ago [securityfocus.com] and stop complaining about people releasing it to the public. I would rather have everyone know about it than have just Microsoft, a few security people, and several black hats knowing.
  • I'm new here. Just want to add my comment about vulnerability. I think most of the user world wide doesnt even care about vulnerability in IE. Only some of the user that are really care about this are taking action such as patching or reporting of the velnerability. All their know is just the IE can run as it suppose to be. Some says that using Firefoq is good but if the user dont even updated, there are also vulnerability there. I still remember one of my friend doesnt even know that his pc has already b
    • That's why Firefox has autoupdate. People who even don't know what a security update is, are getting updated automatically and usually within a day or two from the security release. (I have seen questions in Firefox supports forums from people who are asking what was that update thing all about they saw, which should be a proof about people getting updated, whether they understand or not. ).
    • by gigne (990887)
      Welcome to Slashdot. Prepare to spend lots of time reading meaningless articles such as these.

      As for your comment... No, users don't care as long as it works. Most people I know with ie as their main browser have all kinds of crap installed. Those annoying toolbars, flashing smileys, and popups all over the place. There is no educating these people, as they don't care to be educated. They see the windows box as a magic device that "should just work" regardless of how reckless they are with their browsing ha
  • The codes posed by the hacker will not affect the IE Version 7. The 'Oday' meaning an exploit for a previously undisclosed vulnerability. According to HD Moore, the head of the Metasploit project, he wrote an automated ActiveX testing tool called AxMan that uncovered a handful of IE bugs, including the one exploited by on xsec.org. The trouble affects users running IE 6 with Service Pack 1 on the Windows XP operating system running Service Pack 1 or the Windows 2000 operating system with Service Pack 4. T
    • by udippel (562132)
      New here ?

      In case you don't know, there's a Preview Button and 'Plain Old Text' if you don't happen to know HTML.

  • Real Damage (Score:5, Funny)

    by nurb432 (527695) on Sunday September 17, 2006 @10:40AM (#16124642) Homepage Journal
    what ever happened to exploits ( be it virus, trojan, whatever ) that cased some REAL damage?

    All this whimy-ass 'botnet' garbage needs to end. We need something that totally kills windows when you get infected. Get the people pissed off enough to force microsoft into doing something.
    • by (H)elix1 (231155)
      what ever happened to exploits ( be it virus, trojan, whatever ) that cased some REAL damage?

      3. Profit. Folks found there was money to be made off of a bot net under your control. Not uncommon to see an infected system patch itself so others can't infect the system.
      • There has to be some evil person out there that hasnt sold out to the man... In my day, it was the challenge of doing someting that drove us, not the recognition.. ( be it money or peers )
    • I always wanted to infect an entire botnet with something that overwrote the bootsector with code that didn't boot windows, just printed "This computer was infected with A Virus and was caught attacking other computers online. Your computer has now been disabled, see a computer technician to fix this and clean the virus off your machine." That way their info is still safe, but they can't boot windows to start the bot anymore.
    • All this whimy-ass 'botnet' garbage needs to end. We need something that totally kills windows when you get infected. Get the people pissed off enough to force microsoft into doing something.

      I for one am actually surprised this hasn't happened yet. Say a worm that infects 20 others then formats the hard drive. Or perhaps break into a botnet (they are not that secure) and wipe some millions of Windows PCs at once. It would not be hard to do, let your Windows get infected, figure out how they control it

      • I for one am actually surprised this hasn't happened yet. Say a worm that infects 20 others then formats the hard drive. Or perhaps break into a botnet (they are not that secure) and wipe some millions of Windows PCs at once. It would not be hard to do, let your Windows get infected, figure out how they control it and go off and get control. Time will tell, but I suspect sooner or later someone is going to do it.

        Yeah but who will notice? Windows is hosed and won't boot? Well, time for a re-install. Honey

    • by owlstead (636356)
      "All this whimy-ass 'botnet' garbage needs to end. We need something that totally kills windows when you get infected. Get the people pissed off enough to force microsoft into doing something."

      Stop nagging and start typing.
      • by nurb432 (527695)
        Sorry, but too much risk. One thing about growing old is you leave that sort of risk taking to the new kids..
  • by shaitand (626655) on Sunday September 17, 2006 @11:19AM (#16124754) Journal
    Either they released the exploit code before the hole was patched or not.
  • ...Is why these exploits and vulnerabilities are labelled "new".

    They aren't new. Maybe they have just been found, but on a product that's been out so long, the exploits have been too (unless of course they were introduced by a fix or update recently). I know it's just improper usage of the English language - kinda like the "new" planets we've found (that have been around for billions of years).

    The problem is, this creates a misconception in the casual user's mind as they think the exploit is new instead o

    • English is known for having more than one meaning for any given word. For example, here's the first two definitions of new [m-w.com] from Merriam-Webster.

      1 : having recently come into existence : RECENT, MODERN
      2 a (1) : having been seen, used, or known for a short time : NOVEL <rice was a new crop for the area> (2) : UNFAMILIAR <visit new places> b : being other than the former or old <a steady flow of new money>

      There's several other definitions for new on the same page.

      • True - but those are all context based. By definition (whichever you choose) the proper wording would be new(ly) found exploits, et al - as in the definitions you cited, there are modifiers such as "new crop " for the area" and "visit new places" is based off the perspective of who it is targeted towards (visiting New York might be visiting a new place to you, but not to me). The same with "a steady flow of new money" which is also based off the perspective of who the new money is flowing to/from.

        We all kn

  • drive-by takeover

    Yeah homies let's go pop them unsuspecting computer users with da intratubes! Show 'em what bangin' is about.

  • If that's what they're calling a vulnerability that requires user interaction, what would they rate something like a modern day Sapphire or Blaster? Give be a break. It's just another browser hole with exploit code in the wild. Medium severity at best.
  • by Myria (562655) on Sunday September 17, 2006 @07:00PM (#16126667)
    If you look at Firefox security bugs and IE security bugs, you'll see that there are more Firefox bugs than MSIE bugs in the exploit lists. There is, however, a big difference.

    When Microsoft finds a security hole themselves, they don't tell anyone, and they don't release a patch. They fix it in the tree for the next release of the OS. The only time they release a patch is when someone else finds the bug. The reason they do this is because if they release a patch, people will "bindiff" it against the previous version and find what is changed so that they can make exploits to use against unpatched users. You can't realistically "bindiff" XP vs. Vista, so they can obscure their security updates inside Vista.

    Firefox instead will issue patches no matter who finds them. This is why Firefox appears to have more bugs - you always see them get fixed.

    Melissa
  • Plugin for IE (Score:3, Interesting)

    by univgeek (442857) on Sunday September 17, 2006 @11:49PM (#16127758)
    Or whatever they are called.

    Why do people use IE? Mostly because of Intranet sites which server up IE only content and work badly or not-at-all with other browsers. How 'bout an IE plugin which opens only Intranet/trusted sites in IE and opens all else in an external safe browser? Or is this unlikely to be useful?
    • by Verunks (1000826)
      you can use ietab [mozdev.org] to embed ie into firefox and use it when you wish or automatically use it when you go to some sites like windowsupdate or other custom sites
  • IE does not safe anymore.
    why hacker were borned in this world?
    why they do not do anything else than hack?

FORTUNE'S FUN FACTS TO KNOW AND TELL: A guinea pig is not from Guinea but a rodent from South America.

Working...