Serious Security Flaw in MSIE 5.01, 5.5

Visit an attacker's webpage using Microsoft's browser on Microsoft's operating system, and the attacker can execute arbitrary code on your system with your full privileges. Oh, and thanks to Microsoft innovation - you may remember this from the trial - the browser is integrated with the OS, so reading email from an attacker (opening attachments not necessary) also gives them full access to your machine. MSIE 5.5 is vulnerable, and MSIE 5.01 is vulnerable unless you've installed Internet Explorer 5.01 Service Pack 2. Read the security bulletin and download the patches. Discovery props to Kriptopolis.

Re:Hmm..

[Anonymous Coward]

This is exactly how the white hat in question (Juan Carlos Cuartango) operates. MS had plenty of warning.

Cuartango, BTW, is probabaly the number one white hat working on IE and HTML Mail issues, and he's gone public a number of times when MS was unresponsive. Quite a few of his warnings have turned into real exploits.

Microsoft, of course, is just fixing the potholes. They really need to go back and re-evaluate their implementation of Rich Text (HTML) e-mail from the ground up.

And for anyone crowing about Netscape/Mozilla -- Don't forget that Netscape 4 has had numerous mail exploits, just that Netscape doesn't release "Security Bulletins", they release .01 version bumps with missing release notes. I don't think there's been any major Mozilla holes discovered, but it's not 1.0 yet, so the white hats are probaby sitting on their hands for now.

Recipe of disaster

[Anonymous Coward]

Just think of the following scheme: (If I understood correctly, it should be possible to create the following worm)

1) Send this worm to everyone in the address book using the randomly taken subject from the your previous emails.
2) Install timebomb into computer, which deletes all the files after few days
3) Send all your previously written emails to random recipients taken from the address book.

Worm would spread like a wildfire as the message does not look suspicious (it comes from a known sender and the subject is reasonamle as it has been used before by the sender). As no questions are asked from the user - all the outlook users reading the message would be affected.

Worm would be totally destructive, as all the files would be deleted.

Probably most damage would be done by sending the previous communication to random recipient. Just look into your sent messages folder and imagine what would happen if you would send the messages to random recipients taken from your address book.

Do you still have the gust to use Windows/IE/Outlook ?

So um...

[Wakko Warner]

When is there gonna be a software Lemon Law? A car can explode and kill or injure its occupants, but when a piece of software running mission-critical software breaks (or is broken), it can cost money, time, or, in the most severe case, lives. When will software companies be held responsible for the most egregious of errors, and would something like this be considered just that?

- A.P.

--
* CmdrTaco is an idiot.

Why would I want to download that?

[Brian Knotts]

I like the way the editors no longer ever pretend that the vast majority of readers on this site aren't running Windows.

Well, I don't like the reality behind that, simply because of what has happened to the comments as a result.

Believe it or not, at one time, that wasn't the case.

But it's funny, in a pitiful sort of way, anyhow.

Netscape *did* get revenue

[hawk]

There was a revenue sctream, and netscape did have to adjust to that. I always thought that it was pretty clear that they didn't care about the $30 from end users--they were making their mane money off server software, which needed the brosers out there. However, they *did* get paid by OEM's who included netscape.

Re:Netscape *did* get revenue

[hawk]

>So I'm not sure I get the point... what does selling/giving away their
>browser have to do with selling their server software

Mosaic, lynx, and www at the time didn't support things netscape
wanted to serve. They needed that kind of broser out there in people's
hands, or there was no pointin anyone buying theri servers.

hawk

Re:Inaccurate

[jafac]

I don't know what the deal is with my particular system;

Win2k Pro, SP1, Dell PE1300 P III 600MHz 256meg RAM -
But ever since I loaded IE 5.5, it's actually SLOWER to launch than Netscape 4.73. I don't mind the crashes all that much anymore.
(this problem also affects Word; so much for wonderful "shared libraries")

Re:Not Suprising

[sheldon]

Sniff...

You don't like me. :(

I feel really hurt.

Boo Hoo.

Re:Not Suprising

[sheldon]

Boo hoo.

You don't like me either. :(

[Obviously your someone who can't appreciate sarcasm :)]

IE's OS integration

[Mihg]

I find it odd that people are bashing MS because so many programs are using IE to render HTML.

Think about it. There is a standard way for any program to render HTML in a window. Instead of everyone reinventing the wheel, all a programmer has to do is create a COM object and display it in a window.

Of course, the average Slashdotter is using this as evidence that Microsoft is the tool of Satan and their buildings shall be razed and their children and their children's children unto the fifth generation shall be cursed and despised, etc.

Modularity is good. Standard ways of doing things is good. Code reuse is good.

Now, the fact that there is absolutely no way to replace IE with your web browser of choice is evil (despite the fact that email clients, HTML editors, conferencing software and whatever else can be easily replaced) and the fact that Microsoft is terminally unable to write a program that doesn't serve as a speedy means of either crashing the OS or inviting in unwanted network guests is also evil. So they are the tool of Satan and their buildings shall be razed and their children and their children's children unto the fifth generation shall be cursed and despised, etc.

On a side note, GNOME is doing the same thing. Any program can use gtkhtml to render HTML in a window. Evolution is using it to display email messages (sound familiar?), Red Carpet uses it for UI, and GNOME Help uses it to render content. IIRC, the plan is to eventually replace gtkhtml with Mozilla (which does a much better job of complying to standards and rendering documents than gtkhtml.

Re:Not Suprising

[johnnyb]

Isn't it funny that when a bug is discovered in Microsoft software, it's a victory for Open Source, and when a bug is discovered in Open Source software, it's a victory for Open Source?

Although it seems kind of contradictory, it's basically the difference between owning a house and renting an apartment. If you own a house, when something breaks, you feel a sense of pride of ownership when you fix it. If you rent an apartment and something breaks, you only can think about how long the stupid manager is taking to fix the problem. That's one of the main reasons that people (me included) like Linux - the pride in ownership.

Re:Ahem.

[johnnyb]

It's not disabling active stuff, you also have to disable downloads, that's right, downloads. Not executables, not active crap, just downloads.

Re:Why would I want to download that?

[jamiemccarthy]

"I like the way the editors no longer ever pretend that the vast majority of readers on this site aren't running Windows. ... Believe it or not, at one time, that wasn't the case."

The majority of readers have been running Windows ever since I've been reading Slashdot. At least, the readers I've met. The best games have always run on Windows and no self-respecting Slashdotter would be caught dead being unable to dual-boot into deathmatch heaven.

But then, the majority of readers have always been saying "Slashdot was much better back in the day," so, you're upholding a proud tradition. Carry on!

Jamie McCarthy

Re:Select "Custom" button, then the "Advanced", 2

[ansible]

Well, maybe I am a dumbass, but I didn't know that. I always thought I'd have to find the specific download package, which is not that easy to find from their website.

anyone got details?

[orabidoo]

what are the offending MIME types, so people can block them at the mail server?

Hmm..

[nebby]

Microsoft already has a fix out. I think this bug was reported today. I'm impressed.

So many people here always scream that Open Source is better because you don't have to "wait for the service pack" in order to get fixes. Granted, the bug probably would've been found sooner if the source were open, but the fact that there is a fix out already is admirable.

I think this is going to be another long thread of unwarranted Microsoft bashing. You can bitch about the bugs in IE and it's security hazards, but if they get fixed this fast then it really detracts from your argument that Microsoft sucks. There have been security flaws found in Linux with a fix issued and instead of posts saying "Linux sucks, here's yet another security patch I have to add!" they're praising the community for getting a fix out so much faster than Microsoft would have.

Re:I don't get it...

[Detritus]

Why does integration with the OS automatically give an attacker full access to your machine?

Because Windows 95/98/ME has no concept of security, all code has full access to the machine. Even with Windows NT/2000, many users run under accounts with Administrator privileges, due to the large amount of broken software that doesn't work properly when run under an account with User privileges.

Re:Joys of non-competition

[mcc]

> and you somehow reached the conclustion that it is MS' fault that all the other browsers aren't as good, right?

You could make that case, very easily. Think: if not for Microsoft, it would still today be realistic to charge money for a web browser. Meaning it would be possible for a web browser to exist on its own terms, with SERIOUS resources devoted to their development, rather than the current situation where the major browsers must squeak by with either hand-outs from a massive corporation who are only developing the browser as a political tool, or beg (unsucessfully) for money and developers from passerby.

I'm don't know if it necessarily follows from this that MS was acting in an immoral fashion by leveraging its huge pool of resources to drive everyone serious out of the browser market, but you can CERTAINLY make a good case that it is "MS' fault that all the other browsers aren't as good"..

Re:Inaccurate

[mcc]

I would say two things: first off, Creating something like BIND is infinitely more difficult than something like MSIE-- MSIE has a huge number of disparate things it's expected to do, while BIND is in a certain manner less "complex", but all the things MSIE does are *simple* and it doesn't have to do them *efficiently*. Despite this BIND, at least from where i'm standing, seems to be doing *better* than MSIE. I mean, it may just be i'm not paying attention, but big BIND problems seem to come along every five months and big MSIE problems seem to come along every two or three.. and the MSIE problems seem a bit worse. The IMPORTANT thing, though, and this has been noted elsewhere in this same discussion, is that BIND is aimed at *professionals*-- people who are skilled, and people for whom constnatly watching the security news and speedily applying new patches to the machines they are charged with watching can be considered to be part of their *job*. MSIE/OE, meanwhile, is VERY heavily used by people who don't understand computers at all, people who just wnat to print things in wordperfect every so often and get e-mail every so often. MICROSOFT HAS AN OBLIGATION TO PROTECT THESE PEOPLE, microsoft has an obligation to not leave the defenseless with security vulnerabilities, microsoft has certain obligations to simple SAFETY that the people who write BIND do not. ANd MS is failing at it. Do you really think that the kind of person who is scared by computers to the point where they never ask "I wonder how i can delete these shortcut icons off my desktop?" Is going to *EVER* update their IE, or check microsoft.com for updates, or even be able to figure out what a service pack is?

As far as Wu-ftpd goes.. dude. Seriously. Use Proftpd. It's better anyway. :) With something like Wu, it gets to the point where if you don't like the security track record of a product you should consider just not *using* it.. hell, you even have alternatives to BIND. Microsoft should realize that people don't have too much alternative to using MSIE, realize that people aren't going to switch based on security, and make it their job to fix security as a result. Although i'd bet that they let security get so bad *because* they knew nobody would stop using MSIE because of it.

> If you want to make a constructive criticism, then you should have them rewrite the whole OS.

Not a bad idea. Here's a better one. Two words: CODE AUDITS.

(at the sound of the magical words "code audit", angelic voices are heard singing from the heavens.)

MS doesn't need to *rewrite* this stuff, not *really*, but initiating a large-scale security-oriented code audit of the entire text of their networking and web browser code is something that they could really stand to do, BEFORE they start thinking about windows xp or whatever. They certainly have the resources. How do you propose to get them the initiative? Cuz it's sure as hell not my problem :)

Re:Inaccurate

[mcc]

My apologies for being unclear. That comment was meant to refer to microsoft's *web browser* division, and microsoft's web brower division *only*. Yes, of course server OSes and server apps will have security issues from time to time. I don't expect them not to. The thing that leaves me a bit taken aback, though, is microsoft's tendencies to have security issues in a low-end *consumer-oriented* app like a web browser. WEB BROWSERS ARE NOT THE KIND OF THING WE SHOULD HAVE A SECURITY TRACK RECORD TO KEEP TRACK OF, and that was my only point.

YESS, it really kind of *is* an MS thing. Except for one vague memory or so of an incident involving a java hole, you just plain don't *SEE* security holes popping up with Netscape or Opera or Omniweb or really ANY browser except MSIE! *Netscape* got security right, and their software was AWFUL! But that there should be THIS many instances of hardware-access-level vulnerabilities in something meant to display web pages.. just. blah. it blows my mind.

--mcc
it is late and i am spastic and bitter

Re:Inaccurate

[mcc]

> In short, I wish people would stop with the idiotic Microsoft bashing. All software has bugs. Let's fix it and move on.

The problem with this is that this isn't just a Well, Now It's Over And We Can All Get On With Our Lives type thing. If this were an isolated incident, "Move on" would be good advice indeed; however, Microsoft is developing a literal track record when it comes to security vulnerabilities. Security holes in MSIE, SERIOUS ones, seem to be cropping up on the order of once every couple of months;
i can think of at least four times since MSIE 4 that ways for attackers to affect the contents of an MSIE user's hard drive have been discovered, and i haven't even been watching it closely.
Are you really sure that "forgive and forget" is a good idea?? Do you honestly think that this isn't going to happen again? Do you honestly think if people let this issue rest-- and they will-- that microsoft is going to change its ways on its own? It certainly didn't the LAST couple of times this happened.

Keep in mind these are the people that you're supposed to be buying an attempted NETWORK OS (windows xp) from in a year or so, and they can't pull off security in a passive web browser. XP involves the passing around of remote executable code, doesn't it? Don't you think some SERIOUS pressure needs to be brought to bear on microsoft until they take steps to ensure that the security issues in their browsers are dealt with, COMPLETELY?

I am a Mac OS X user, so i am not *too* worried about this, but i do use MSIE from time to time, and so i for one am extremely alarmed with microsoft's nonchalance with security issues. Microsoft seems to have no interest to bring these "technologies" (activex, for example) that seem to be causing the problems to the macintosh platform, and the Macintosh port of IE shares no codebase with the windows version, so i am not directly threatened; however i still feel somewhat insecure with using MSIE.

Re:Joys of non-competition

[HiThere]

Mozilla crashes within 15 minutes? Are you running release version 0.8? Switch to 0.8.1 immediately! (Most of the versions between 0.8 and 0.8.1 were pretty bad...I went back to 0.7 for awhile, but 0.8.1 was reasonably good again. 2001032804 hasn't given me any trouble yet (I think the scrambled graphics were a problem at the User Friendly site), but the day is young.

And investigate win98Lite. I stopped choosing to upgrade MS products before the first UCITA law was passed, or perhaps it was before the DMCA was passed ... which ever came first. I haven't clicked on one of their agreements since then, and don't intend to. If someone insists on MS, then they have to make the agreement. That's one thing I won't do for them.


Caution: Now approaching the (technological) singularity.

Re:that breaks important browser features

[HiThere]

Well, he said few rights, not none. Presumably the browser would be able to write to a file in its own (home?) folder. It could save all of it's downloaded files into one folder (allowing the user to create sub-folders as appropriate). Then the users could log in as themselves and move the file to the appropriate location.

Thinking this over, the web browser should have a special folder under each user to which it could write. Starting the web browser should be equivalent to logging in as user WebBrowser, with the current directory set to the web browser folder for whoever you happened to be before starting the web browser. The web browser user shouldn't have the right to open any directories belonging to any other user. Quitting the web browser shell should exit you back to who you were before. And ever web-capable user should be able to read files and execute folders owned by the web browser user.

This might be a bit inconvenient, but not terribly so. Setting it up would be a pain, but could easily be worth it (OTOH, I'm thinking of installing a distribution with the 2.4 kernel, so I probably won't run out and do this right now).

Caution: Now approaching the (technological) singularity.

IE 4 probably isn't affected

[alienmole]

I don't think it would kill Microsoft to test this with IE4, and at least inform their customers whether they were affected, even if they don't supply a patch.

My guess is the reason they don't do that, is that they don't believe IE4 is affected. Admitting that would make them look bad, so they're rather spread FUD about the safety of their older software, to try to encourage upgrades.

That kind of violates the idea idea of having software versioning, now doesn't it?

No, it doesn't. It's perfectly normal to continue to release patches for older products, for just about any software company other than Microsoft. In fact, Microsoft itself has done this in the past: they released a service pack for NT 3.51 after NT 4.0 was out. I don't remember the timing on NT4 SP6a - that may have come out after Win2K, too.

Re:New read and execute features in IE 5.5

[sharkey]

What about Huckster?...

That's the name of the holding corporation that MS will use to sell Hackster.

--

Re:Windows Update?

[leperjuice]

I'm sorry, but Microsoft does not consider a patch that closes a remote sploit for allowing malicious users to "take any action on the computer that the user can take" as a critical update. Thank you, please call again!

I wonder, given the number of days it will take between now and when they finally get off their tuckuses and add it to the update page, how many people will be affected that otherwise could have been protected.

If it takes more than a week, I could imagine the lawyers would be drooling over the negligence of Microsoft, EULA or no.

Note that few contracts are totally rock solid; it depends on how many lawers you can affort to hammer on it. Look at what happened to poor Toshiba...

Re:Hmm..

[Surak]

MS had plenty of warning. Obviously. Because it's fixed in IE5.01 SP2. Duh. :)

um, okay...

[delmoi]

Oh, and thanks to Microsoft innovation - you may remember this from the trial - the browser is integrated with the OS, so reading email from an attacker

I fail to see how that makes sense... What does the fact that IE is part of the OS have to do with email?

If this security flaw existed in, say, mozilla, then any program that used it's HTML rendering engine would be just as vulnerable.

So they really _do_ withhold updates[Next monday?]

[drenehtsral]

Well, i guess they really do withhold updates... Who would have guessed =:-)

Not a flaw, a support tool!

[bdowne01]

Yesterday when I was on a tech support call with Microsoft (our Exchange server was glowing red and hovering), they simply told us to start up Internet Explorer and they'd fix the problem from their end. Just like magic, the server floated back into the rack and stopped glowing!

Hats off to M$ for writing such an amazing tech support tool!

Re:Inaccurate

[Wah]

just a quick note. I checked the MS update page after I saw this story. It did NOT list this as a "critical update", at least not for 5.01. Upgrading to SP2 was an option under "Recommended Updates". I don't know if this bug set off their "critical updates" program since I don't use it. It is a tough situation for them, tons of clueless users who will get abused, but it should be their responsibility on some level for damages associated with abuses for their software. Yes, I know their EULA tries to head off that argument, but the whole monopoly thing seems to be a decent counteragument.
--

Microsoft & Diversity

[SMN]

Interesting excerpt, from the "Technical Details" portion of the support page:

An attacker could use this vulnerability in either of two scenarios.

She could host an affected HTML e-mail on a web site and try to persuade another user to visit it, at which point script on a web page could open the mail and initiate the executable. Alternatively, she could send the HTML mail directly to the user. In either case, the executable attachment, if it ran, would be limited only by user's permissions on the system.

(Emphasis mine)

Well I guess Microsoft has finally realized that we males are too stupid to be "attackers," since everyone knows that the vast majority of 5r1pt k1dd13s are women. I was going to try to be an 3133t hax0r, but apparently the women have beaten us to that, too. I suppose the only quick and dirty way to rake up some cash now is to audition for Survivor.

Re:Microsoft & Diversity

[SMN]

I sure wasn't trying to be a troll -- I hope it didn't come off that way =( Just wanted to take the opportunity to get in a cheap shot at Microsoft.

Technically, the "correct" way is to write out "he or she," but that sounds very cumbersome, especially when you start adding in "his or her" and "him or her" into the mix, all in the same sentence.

I'm a big fan of using "they," as you typically hear on the street these days, or "he," if you're in the company of people mature enough to understand you're not trying to make sexist assumptions. I really hate this politically correct crap that keeps going too far. . .

Day In The Life Of Net Scam Artists

[SMN]

Day In The Life Of Net Scam Artists [slashdot.org]

CRIMINAL NO. 0
12:32 AM Some lamer just offered me $250 to write a one-day journal of my hacking. I brag that I can make $4,000 a day by stealing credit cards, but I'm still willing to spend several hours writing a journal for a meager $250. With that kind of incentive, you can be sure that none of this is made up. None of it. Trust me, I'll appeal to the media's maniacal demand for sensationalist hacker stories.
12:38 PM Found a cool new way to hack people. 31337. [microsoft.com]
12:39 AM Sent out a mass HTML email to hundreds of AOL Lusers with code to steal their passwords. The technical flaw only exploits Outlook Express users, but those Lamers are stupid enough that somehow it'll still work in their AOL mail programs.
12:40 AM Going to my girlfriend's house.
12:41 AM Back from girlfriend's.
1:14 AM Got 217,468.25 AOL logins already. Haha, those lamers are so stupid! I can steal all your passwords, America, and there's nothing you can do about it because I'm a scary hacker! ph34r me.
1:27 AM Ran a secret hacker script to extract credit card numbers. Bought $1,000,000,000 worth of cocaine from a secret hacker website at http://www.dea.gov/ [dea.gov]. The Feds will never be able to figure out my address, because I sent it to my mom, who's sleeping in her room down the hall. And my ISP will never give my name away - AOL doesn't do that kind of thing.
1:30 AM Realized its past my bedtime. Mommy's yelling at me to go to sleep. Remember, America, hackers can do anything! But send me your credit card number and I guarantee that you'll be safe from hackers.

(Score:-1, Corny)

Re:Day In The Life Of Net Scam Artists

[SMN]

. . . and he's still getting more than I am.

(This always is the point where the moderators finally get some pitty and moderate me up, only for someone in my school to see it and show everyone else =)

/. at it's best

[tiny69]

Slashdot just can't let the opportunity to smear MS go by. Is this really news? MS has a big security hole in one of their products. Does this surprise anyone?

But when the 2.2.x kernels have a _BIG_ security hole that allows users to exploit [securityfocus.com] it against _ANY_ SUID binary, well that must not be news worthy...

Re:Inaccurate

[Kwantus]

Oh, and thanks to Microsoft innovation - you may remember this from the trial - the browser is integrated with the OS, [etc, etc]

That is inaccurate.

What you quoted is not inaccurate. It was established in the FoF that it is virtually impossible to remove IE from Winduhs98, and thus simply removing the vulnerable software is not an option. If KDE had such a flaw, you could rm it entirely, or simply stop running it.

What's perhaps worse, is that a lot of Winduhs users I know would think they could avoid the problem by using a browser like NeoPlanet, not realising it's just an IE wrapper. They'll plunk themselves into the worse situation of thinking they're safe when they aren't.

That is what M$ innovation gave us.

Ever heard of the term "reuse"?

Yes, it's called linking a library and it wasn't invented with OO. And from the way DLLs get sprinkled all over the system I don't think a lot of SW authors accomplish/bother with "reuse" on Winduhs anyway.

I don't get it...

[macpeep]

"Oh, and thanks to Microsoft innovation - you may remember this from the trial - the browser is integrated with the OS, so reading email from an attacker (opening attachments not necessary) also gives them full access to your machine."

Why does integration with the OS automatically give an attacker full access to your machine? Just because IE comes with the system and because it shares DLL's that the system uses doesn't mean that you would be running your email app or your browser as root / administrator or anything like that. What's the ingress here refering to?

Re:I don't get it...

[macpeep]

You still didn't answer my question. Yes, Windows has poor / no concept of security but what does OS *INTEGRATION* have to do with any of this?

Re:Hmm..

[Malcontent]

That seems to be the standard MS response. "See this great feature we advertised heavily, now please turn it off if you want your software to function properly".

Re:Inaccurate

[Malcontent]

I would guess that most slashdot users probably don't run wu-ftpd. Even if they do they probably subscribe the listserve which let's them know immediately when something is cracked. Unfortunately most lusers who use IE will never even know that this security hole exists and will never upgrade their IE thereby unleashing all kinds of meyhem on the internet which we will have deal with.

I know of no Linux user who runs server software like bind or proftpd who does not monitor their logs, subcribe to security listserves and is generally paranoid about being hacked. Recently when a vulnerability was anounced in proftpd (first one in a long time) I got email both from the proftpd folks and debian. I upgraded via apt withing minutes after I got the email (I sshed in from work) and I was safe.
Too bad less then 5% of IE users will ever take that kind of action.

Re:Inaccurate

[Malcontent]

I highly doubt that even the most idiotic luser would accidently press the "SERVER" button instead of the "WORKSTATION" button. Even so more and distros are installing safer defaults. In fact I was recently at bust buy and noticed thad SUSE was actually selling two boxes one for workstation and one for server (the server costing a bit more).

Re:Inaccurate

[Malcontent]

Come on now BIND, wu-ftpd, and even sendmail get bashed regularly on slashdot (and rightfully so especially BIND). It's because of all the bashing that BIND9 was re-written from scratch.

Don't you remember the recent thread about BIND? Whenever a major security breach is discovered it gets covered on slashdot why should MS be immune?

Re:Inaccurate

[Malcontent]

Well that's not what they testified to in court. Are you suggesting that the top brass on MS committed perjury?

Meanwhile, in related news..

[Tuck]

For immediate release:

Foot-And-Mouth Believed To Be First Virus Unable To Spread Through Microsoft Outlook

Atlanta, Ga. (SatireWire.com)

Scientists at the Centers for Disease Control and Symantec's AntiVirus Research Center today confirmed that foot-and-mouth disease cannot be spread by Microsoft's Outlook email application, believed to be the first time the program has ever failed to propagate a major virus.

"Frankly, we've never heard of a virus that couldn't spread through Microsoft Outlook, so our findings were, to say the least, unexpected," said Clive Sarnow, director of the CDC's infectious disease unit.

The study was immediately hailed by British officials, who said it will save millions of pounds and thousands of man hours. "Up until now we have, quite naturally, assumed that both foot-and-mouth and mad cow were spread by Microsoft Outlook," said Nick Brown, Britain's Agriculture Minister. "By eliminating it, we can focus our resources elsewhere."

However, researchers in the Netherlands, where foot-and-mouth has recently appeared, said they are not yet prepared to disqualify Outlook, which has been the progenitor of viruses such as "I Love You," "Bubbleboy," "Anna Kournikova," and "Naked Wife," to name but a few.

Said Nils Overmars, director of the Molecular Virology Lab at Leiden University: "It's not that we don't trust the research, it's just that as scientists, we are trained to be skeptical of any finding that flies in the face of established truth. And this one flies in the face like a blind drunk sparrow."

Executives at Microsoft, meanwhile, were equally skeptical, insisting that Outlook's patented Virus Transfer Protocol (VTP) has proven virtually pervious to any virus. The company, however, will issue a free VTP patch if it turns out the application is not vulnerable to foot-and-mouth.

Such an admission would be embarrassing for the software giant, but Symantec virologist Ariel Kologne insisted that no one is more humiliated by the study than she is. "Only last week, I had a reporter ask if the foot-and-mouth virus spreads through Microsoft Outlook, and I told him, 'Doesn't everything?'" she recalled. "Who would've thought?"

Copyright © 2001, SatireWire

--

Re:Joys of non-competition

[befletch]

Mozilla crashes within 15 minutes? Are you running release version 0.8? Switch to 0.8.1 immediately! (Most of the versions between 0.8 and 0.8.1 were pretty bad...I went back to 0.7 for awhile, but 0.8.1 was reasonably good again. 2001032804 hasn't given me any trouble yet (I think the scrambled graphics were a problem at the User Friendly site), but the day is young.

Now this here is a textbook-quality example of why it is so hard to tell from written messages whether someone is trying to be funny or not. Taken seriously, this person seems to be suggesting that normal people, or at least normal slashdot people, should be willing to evaluate the relative advantages of 0.7, 0.8, 0.8.0.x, and 0.8.1 builds of a web browser over the course of a month or so. Taken as a joke, HiThere is pointing out how some of us have jobs or go to school.

Somebody want to help me out here?

Re:Joys of non-competition

[Simon Brooke]

Netscape? Don't make me laugh. Mozilla? I like it, but it still crashes within 15 minutes.

Sad but (more or less) true. Konqueror, on the other hand, is now pretty stable, does 95% of things right, and is very close to being a thoroughly satisfactory browser.

Re:IE's OS integration

[weave]

I disagree with almost all of you. Having HTML-rendering code available as an API for all programs to invoke if needed is not a bad thing. The problem here is the crap that comes along with that, and the numero uno biggy is Active X.

When Active X was first announced, all security-minded folks heaved, sighed, and worried. "Download native code with full privs and it runs on my box?" Microsoft assured everyone that it wasn't a problem cause all code would be signed and you could limit what gets run on your box.

As history has shown, this promise has failed. We've had hacks exploiting weak Microsoft-supplied active X controls, Active X controls that come with Windows (and hence already installed) with problems that get exploited (hence no prompting), and bogus verisign certs that appear to come from Microsoft and problems revoking it. And finally, just plain stupid users who will press OK on any dialog box that comes there way...

So it's not the bundling of an HTML rendering engine that bothers me, it's the crap that comes with it.

BTW, on my windows boxen, I just set the option for active x code and scripting to "prompt" instead of enable or disable. It can be a pain at times, but unless I'm doing something like visiting the Windows update site, I usually deny any active x invokations on almost all web sites I visit.

Re:Inaccurate

[rajafarian]

Dude, that is so fucking funny. Sounds like you're saying. "that is NOT a cube; THAT is a physical object with six squares of the same size for physical boundaries. ha ha ha he ROTFL

Re:Inaccurate

[Hard_Code]

It has little to do with "object orientation" also. It has to do with the security system. Whether code is reused or not does not matter...if vulnerable applications are run with powerful privelages, bad things will happen.

Re:Microsoft & Diversity

[QuantumG]

actually that's sort of a political correctness phenomenon.. there was a time when if I wrote the like: "all a mailman has to do is take his bag of letters and put them in the mailboxes" and you would quickly recieve a deluge of feminists screaming for blood. "Women can be mailpersons too!", "why do you naturally assume that your mail must be delivered by a man." So rather than go to the linquistic complexity of making sure your sentences are without gender bias, a lot of P.C. writers chose to make every sentence female gender biased. Would one not expect a deluge of men screaming how they can be leet hackers too? Apparently not. Now why do you think that is?

Re:Microsoft & Diversity

[QuantumG]

Translate this arguement into french where there is not indeterminate gender and there is specifically a "male dominiates over female" rule for talking about groups.

Inaccurate (you too)

[Dwonis]

All software has bugs.

Short answer:

s/All/Most/

[Too ]Long answer:

Not really. I've seen some code written by disciplined programmers that I would say is perfect. So I think software had bugs because of a lack of programmer discipline. I think most people will agree that it's possible to make a perfect function (i.e. it does exactly what it's supposed to do, handling all possible errors, etc). It's also possible to make every function perfect. Therefore, it is possible to make an entire program perfect. I've done it with smaller programs (nothing I've released yet) and I intend to do it again with a larger one I'm beginning to write (it's an XMMS replacement).

Anyway, I agree with everything else you said. That's just a pet-peeve of mine.
--------
Genius dies of the same blow that destroys liberty.

Re:Microsoft & Diversity

[Dwonis]

...which is interesting, because many European languages (including English) use the male gender as a male AND indeterminate gender. Now it's just confusing as hell.

"Why mailman?"

"Why _NOT_ mailman?"
--------
Genius dies of the same blow that destroys liberty.

Re:Microsoft doing disservice to users

[Dwonis]

it was time to do the windows equivalent of using dkpg, hit windows update

Buckling in pain. Please refrain from comparing dpkg to Windows Update as if they're almost the same thing. It just hurts.
--------
Genius dies of the same blow that destroys liberty.

Re:Why would I want to download that?

[Dwonis]

FPS games are much more fun on a LAN with 8 or more of your friends. Single-player FPS games are boring, as are network games with a small number of players you can't yell across the room at.
--------
Genius dies of the same blow that destroys liberty.

Re:Not Suprising

[Dwonis]

It goes the other way, too. I've seen crappy programmers who are so proud of their code they think it's worth millions of dollars, and they don't want to let anyone see it.
--------
Genius dies of the same blow that destroys liberty.

Re:Some day even you will grow up

[Dwonis]

The problem with Linux guys is that they use Linux because of its robustness, and an OS that *ever* *needs* a reboot because of memory leaks simply isn't robust.

I'll probably get flamed for this, but I think a large portion of Linux advocates are just like a large portion of <anything> advocates: they are people who blindly try to follow what the intelligent people are doing, so they can look and feel intelligent too. Of course, they often miss the REASONS why intelligent people act a certain way and do regally stupid things that make the real intelligent people look bad. (I know I've done that, though I tend to notice it later.)

Get used to most people being stupid in one way or another.
--------
Genius dies of the same blow that destroys liberty.

Re:/me sighs....

[Dwonis]

Pine sucks. Use mutt [mutt.org].
--------
Genius dies of the same blow that destroys liberty.

Re:Microsoft & Diversity

[Dwonis]

I was talking about French. Its roots may be "male dominates over female", but it still serves the same function.
--------
Genius dies of the same blow that destroys liberty.

Re:Microsoft & Diversity

[Tackhead]

> So some people use "he", some people use "s/he", some people use "they", some people use "she", and others alternate between "she" and "he."

We're talking about skr1pt k1dd13z here.

"it".

End of discussion.

Re:Windows sucks now, eh?

[0xA]

Ok, I did a fresh install of windows on a computer at work. Windows 98 first edition. I popped in the cd, the install ran, and in 30 minutes the computer booted and I went to the Windows Update site. Four downloads and two reboots later, I have a reasonably secure system with no known exploits. Full install, all fixes applied - less than an hour and a half.


This is a pretty useless argument. Atfer spending this amount of time with an install of Windows 98, adding the updates and rebooting a couple of times you have an OS installed. If I spent the same amount of time with a Red Hat 7 install and updates I have everything I need to get my work done. I have Emacs and and gcc andPERL and Apache and MySQL and OpenSSH and Abiword and Gnumeric and Netscape and Mutt, etc.

You have Windows, IE, Outlook Express and WordPad. Joy, just what the hell are you going to do with that?

You're comment about Windows being secure is true. On the other hand its' not like it does anything either. As soon as you install an FTP server, a web server, an RDBMS and a remote acces program you have the potential to get just as "owned" as any other OS.

What people are trying to say here is that making my email program execute code because I've got something showing in the preview pane is pretty damn dangerous. Yesterday, for the first time in my life, I recived an email that makes use of these fancy scripting features. Its' a piece of spam (which I signed up for) from the Ministry of sound with a link to their new TV ad and a little flash animation. Its' pretty cool but I'll live without it if that's the cost of not getting email that causes some trojan to be executed.

Re:Translation for Slashbots

[BlueUnderwear]

>Recommendation: Customers using IE should install the patch immediately.
> So basically, this lets someone malicious tell your computer what to do.

Especially since Micro$oft's crypto certificate has been leaked. So you cannot even be sure that the patch is from the real Micro$oft either!

Re:Web browsers belong in a jail

[jesser]

Done this way, it doesn't matter if the browser code has security holes because the browser code is not trusted. The mandatory security protections of the OS prevent it from doing anything. This is the right way to do it, and the only one that will work.

That works if you only use the web for fun and/or reference, but if you type your credit card number into any website, you should hope that other sites aren't able to read your cookie file or hijack your browser to send everything you type into other sites to the malicious site. I guess you could tell the user to restart their browser after visiting any questionable site and throw out the cookies file between each session, but I doubt it would be worth the effort and loss of functionality.

By the way, preventing the browser from mucking with your files wouldn't solve privacy problems such as bug 57351 [mozilla.org] (present in both IE and Mozilla).

Re:Browser/OS integration will always be risky

[barneyfoo]

This whole "integration" label is kind of wrong-headed to begin with. Technically calculator is integrated into the OS (bundled, whatever you want to call it).

Browser "integration" into the os isn't risky if it's done intelligently. A Browser now-a-days is an external browser interface, a core html rendering widget, and plugins. It's not ludicrous to put the rendering widget into a system library (like microsoft does) because this doesn't preclude security in any way. (although it is ludicrous to make it non-removable *cough*).

Imo, the correct way to look at this is in the legalistic manner. Monopolies can be found guilty of a method called "Tying" which basicly what MS did. They bolted IE onto the side of windows and made it catastrophic to remove IE functionality (not for very good reasons). Should MS make it possible to remove the browser? Of course. I'm sure there would be many sys admins out there drooling at the chance to do just that. Of course MS would never do that. IE is now their forced-onto-everyone interface to .NET the embraced and extended internet of the future (as they would have it). It's too bad that if people dont want IE it's tough shit for them. Mozilla would be a /much/ better alternative if they were allowed the hooks into the OS that loads it on startup into memory, and makes it persistent, and makes it so it loads the mozilla widget when you type in a url in the explorer application.. Too bad those API's aren't documented. Maybe MS considers them "application specific" and not part of the OS. What nebulous nit picking.

I'll see you in splittsville, MS.

Re: come on now...

[Pfhreakaz0id]

Haven't you guys ever heard of Windows Update? I assume (I don't know, because I run IE6 preview) that everyone has a critical update notification about right now (assuming you run it). Windows update even works for older OS'es where it wasn't built in (like nt4). Again, before I get flamed I'm assuming this patch is on Windows update, but I don't know, because I don't run ie 5.5. I'm sure it will be shortly.
---

Re:Inaccurate

[fanatic]

That is inaccurate. It's thanks to an object oriented operating system that we have this problem.

Not sure what OO has to do with it; the problem is a program that executes code recieved from the net without even asking. That's the problem. Let's hope KDE never does anything that silly.

--

--

Re:Hmm..

[donutello]

The way these things work is that whoever discovers the bug, if they are a white hats, sends a message to the software manufacturer. Usually it is of the form "Here's the bug, here's what it can do. You have XX days to issue a fix. After XX days I will post this to a security discussion alias with/without also posting the exploit".

The fact that the bug was reported today does not mean that that is when Microsoft found out about it.

I had a funny experience. I went to the website and downloaded and ran the patch but it gave me a message saying I did not need to install this update and exited. Anyone else have this happen?

Re:Joys of non-competition

[Deluge]

i like opera, it can even disable animated gifs

In IE you go to Tools -> Internet Options, and uncheck "Play Animations." Bingo, no more animated gifs.

---

Re:Inaccurate

[Deluge]

Hell, you can't even get the damn icon off your desktop without going to rather a lot of trouble.

Exactly. The technical knowledge and skill necessary to position the mouse over the IE icon, right click, and select "Delete" is beyond the average user's ability. It needs to be made simpler. I think the desktop should have the IE icon, and the rest of the desktop should be devoted to a 600x600 button saying "Click here to remove IE icon from desktop." Would that please you and the hapless idiot users you seem to be speaking on behalf of? Cheers!

---

Re:Hmm..

[Deluge]

Dunno about anyone else, but the single fastest way to have a functional machine go belly up, regardless of OS, is to change something willy-nilly, without knowing what it does. Allowing the vendor to have control over what gets patched and when is suicidal and not in thebest interest of users.

Fortunately, aside from the NT4 Service Pack messes, MS has been rather good about providing useful patches for security issues. And when you're dealing with users who should, but don't, and never will have any interest in what security flaws exist on their machines and what can be done to remedy those flaws, putting MS in charge *IS* in the best interest of those users, because at least *SOMEONE* is doing something to protect these people.

autoinstalling anything, without reading the release notes and taking the time to figure out if you really need the changes, is totally begging for problems. Users like my mom don't stand a chance

Again, I'd rather have my mom's machine crash because of a bad patch that got automatically DL'd in an attempt to secure the box, than have her personal and business documents/data exposed to some l33t h4x0r who thought her machine might be a fun target.

---

Re:Hmm..

[puetzk]

afaik, this bug has been actively exploited for at least a week or more - there was a link being broadly crossposted in the diablo2 forums that led to a page which tried it (or something very like it, but I suspect the same hole) and passively installed a trojan.

So if it's the same bug, I saw attempts to exploit it a week or more ago, and I think the posts were older than that. Still nice that they admitted it and fixed it though.

Re:Not Suprising

[crucini]

I find it amusing that the worst purveyer of unprompted MS-bashing, Malda, is also the only editor who regularly admits to using Windows.

I find that quite understandable. People who don't deal with Windows on a regular basis generally don't have very strong feelings about it. This makes it easy (and fun) to maintain an attitude of casual scorn and contempt toward that particular festering pile. When one is forced to use Windows, however, one's attitude unfortunately degenerates into pulsating screaming hatred.

Re:Hmm..

[Perx]

Read the 'Caveats' section on this [microsoft.com] page.

Re:at first this didn't seem all that funny...

[gvonk]

hehe i was gonna take out all but the end but i actually said to myself, in my head... "the end will redeem me"

Translation for Slashbots

[gvonk]

Here's the translation for your average slashdotter

Originally posted: March 29, 2001

We would have told you earlier, but we were sharpening our throwing knives and trying to install "Unix" on our computers...

Summary
Who should read this bulletin: Customers using Microsoft® Internet Explorer.

Let's see... IF I were running IE, then the Attackers^tm would be fiercely attacking me now and I wouldn't be reading this right now... but the translation is:

Who should read this bulletin: any of the sheeple that we have convinced to use our (superior) product.

Impact of vulnerability: Run code of attacker's choice.

So basically, this lets someone malicious tell your computer what to do.

Recommendation: Customers using IE should install the patch immediately.

So basically, this lets someone malicious tell your computer what to do.

Re:¹Red Hat Linux not without its flaws

[The_Messenger]

Better to use an operating system that has not had a remote hole in three years: OpenBSD.

No one finds holes in OpenBSD because it has a total of five users, including Theo and Theo's mom. Holes in Windows and Red Hat are found most often because the former is the most-used OS and the latter is GNU/Linux for newbies. Theo can afford to be smug. If OpenBSD had 1% of users that GNU/Linux does, its reputation would be considerably less pristine.

(That is, if you can tolerate it's slow-ass filesystem implementation.)

...and the lack of SMP. Sure, it runs on six or seven architectures (courtesy of NetBSD), but lack of SMP is the reason I won't run OpenBSD anywhere. (For instance, OpenBSD supports SPARC, but I haven't even personally seen a Sun box with less than eight CPUs in years.) This is the first reason OpenBSD has no future in business.

The second reason is the complete lack of commercial software. (Even FreeBSD does better in this area!) GNU/Linux may have more reported bugs, but it also runs fucking Oracle 8i. (And, yes, anyone who suggests that I replace my Oracle installations with MySQL gets beaten with the clue stick.)

OpenBSD only has a future as a firewall for the 386 in the corner, and frankly, most admins with a clue would rather run GNU/Linux on that firewall because encrypted swap doesn't mean shit if the machine is just looking at packets all day.

Not to mention the fact that the future of the product rests in the hands of a single Canadian cryto-nut with a well-deserved reputation as a whiny, bitchy, moody control freak. The project has other developers but it is no secret that Theo 0wns OpenBSD. Before you mod this as flamebait, think: maybe there's a reason why everyone who has heard of DeRaadt has heard of DeRaadt's emotional instability. Even if OpenBSD ran Oracle on my company's SMP RS/6000s, I'd be hesitant to use it because of this sticking point.

--

Re:Pet Peeve

[The_Messenger]

Yet, they keep cranking out new writes of the same old horse with new bugs every couple of years to make $$$$$$$$$$$..

Windows has existed in its present forms for about five years. UNIX has been around for 25-30. BSD for 20. GNU for 15. Linux for 10.

Their operating systems boast a superior UI, an extensive object-oriented architecture complete with distributed RMI, and run on a greater variety of hardware than any other system, including GNU/Linux.

NT has only taken market share from UNIX. (Which, as most of you are too ignorant to know, was a Big Bad Corporate OS in the 80s. Just like IBM was evil in the 80s. How things change... a few open-source UNIX-ripoffs later, and UNIX is considered "grassroots" by many people here, just like IBM is now seen in a similar light for their "heartfelt" support of Linux.)

They've also completely taken over the desktop market. Of course the roots of this monopoly are 20 years old, but they've only had a truly desirable product for about five.

I like NT. I wouldn't let it in my server room, but it makes a damn good workstation OS. I like its interface best of all I've tried. It has excellent hardware and application support. In addition to being a great development environment, it plays games and DVDs. And my UNIX boxes are never farther away than a telnet session.

MSFT has perhaps produced a greater volume of useful code in five years than anyone else ever has, and NT is still four times younger than UNIX. So I'm willing to forgive some bugs.

--

No problems here...

[The_Messenger]

I'm posting this from IE 5.5 on NT5 and ØÄȦ®$ûüè h4w h4w! I 0wn 4ll j00r b0X0rz!! ØÄȦ®$ûüève experienced absolutely no problems. Furthermore,ØÄȦ®$ûüè w0w d00d 1 4m 50 3l337 ØÄȦ®$ûüèsecurity issues on the web today. What about Netscape 6? For instance, NetØÄȦ®$ûüè m$ c4n suX0rz my c0ckz!!! llolololol ØÄȦ®$ûüèPerhaps Slashdot is blowing this out of proportion.

--

Signed patch

[aridhol]

Remember to use our patch, signed by us and Verisign.

Microsoft doing disservice to users

[biohazard99]

I finally got my system up and running today again (shipped with a fried stick of SDRAM, not sure how that one got out the door) decidied that it was time to do the windows equivalent of using dkpg, hit windows update. Fresh JVM, DirectX8a, IE 5.5sp1 build, the whole nine yards, just completed ~1.5 hrs ago. No warnings there at Win Update, I have to go to an "alternative focus" web site to get word that I have a huge security leak on my system. I wonder why the apache team even bothers making a win32 port if the system gets wiped out by a newbie admin who checked his mail from the web server.

Re:that breaks important browser features

[Animats]

Yes, it breaks some browser features. Here's how that could be dealt with.

To let a file out of the jail, it has to be shown to be harmless. This is the job of a "downgrader", (actually, we're talking about an "upgrader" here, but the terminology comes from DoD security and is traditional) a trusted application which examines files to determine if it safe to change their security level. A reasonable automatic downgrader for web content would strip all executable content and anything else it didn't understand, leaving only plain HTML and images. A manual downgrader for other stuff may also be available, depending on site policy. Its use might be restricted; in a DoD environment, only the security officer could run it. The point, though, is that this sort of thing is a rare event and requires special attention. The browser does not need enough privileges to do it independent of the user.

Letting the browser run player-type apps is OK, but they have to run in their own jails. This handles things like PDF, MP3, Flash, etc. But it prevents players from snooping around the local system and secretly sending info out to somewhere else.

Within a session, the browser can reply to cookies. Whether it's allowed to save them permanently is a separate issue. It's quite possible to have a browser that has no memory at all from session to session. You'd want this in a kiosk system, but not in other places. The right way to do this is to have a browser state downgrader that runs at browser exit or on user request. It examines new cookies and bookmarks and asks whether it's OK to save them. This is a trusted program, but a small one.

Note that none of the enforcement of these rules is in the browser. It's all in the mandatory security system that restricts what a process can do. The browser has to be modified to work under the restrictions. Again, the code in the browser isn't trusted. Only small, dumb programs with the absolute minimum functionality to do their job are ever trusted.

The trick is doing this without annoying the user too much. From this discussion, it looks like that's possible.

Web browsers belong in a jail

[Animats]

Web browsers should be running in a partition with very few privileges. They should be able to talk to the net, read their own code and resource files, write their own windows, see mouse and keyboard events in their own windows, and that's all.

A good exercise would be to take NSA Linux and Mozilla and make them work under such restrictions. This might include managing the cache in a separate process with slightly different privileges. The cache manager needs to read and write the cache, but should never interpret the content. (Think of the cache as being managed by a built-in proxy server, while the main browser does no cacheing.) Configuration also needs to be done by a separate program and process, one that gets its input from the user, can't get input from the net, and can write the preferences files. This gets all the code that can write permanent files out of the main part of the browser.

Done this way, it doesn't matter if the browser code has security holes because the browser code is not trusted. The mandatory security protections of the OS prevent it from doing anything. This is the right way to do it, and the only one that will work.

New read and execute features in IE 5.5

[mr_gerbik]

Combine this new exploit with this old one [zdnet.co.uk] that lets you read any file off someone's harddrive and I think Microsoft might be able to market these as .NET features.

-gerbik

Re:Browser/OS integration will always be risky

[vex24]

When will Microsoft finally realise that integrating their browser into their OSes is not a good idea until it can guarantee security (ie, never)?

Shouldn't that read... (I.E., never!)?

Joys of non-competition

[olman]

The problem with this is that this isn't just a Well, Now It's Over And We Can All Get On With Our Lives type thing. If this were an isolated incident, "Move on" would be good advice indeed; however, Microsoft is developing a literal track record when it comes to security vulnerabilities. Security holes in MSIE, SERIOUS ones, seem to be cropping up on the order of once every couple of months;

The problem is that we cannot move on. There is no alternative. We have to use whatever Microsoft gives us and smile while they shaft us. IMHO that's what the anti-trust trial is really all about and not whether or not someone's ability to "innovate" is being stifled by goverment regulations. If their product was just so good that everyone chose it out of their free will, people would move on to competitors when something like this happens.

Netscape? Don't make me laugh. Mozilla? I like it, but it still crashes within 15 minutes.

Well okay, fair complait re : security of system

[Darth Turbogeek]

But to be honest, a system is only as secure as the user or the admin sitting at it. Uneducated users are the most dangerous security hole there is. You can have the best security, the lest buggy code, but if you have a tool using the system you may as well go flush your hard worked over secuirty systems down the drain. Okay, that is expanding on the truth, but it's a frustration I feel every day.

I know we will see dozens of anti M$ bites, but really, who are we kidding? Security is not an easy thing and everyone gets it wrong at some point. I had a supposably secure Sun OS 0wnd by a script kiddie all because the damn admin wanted telnet open. What can you do if people wont take security seriously? I run a IIS webserver due to an app needing it and it has been attacked - it has stood up because I keep up with the lastest problems. You just have to do it.

You also have to realise security is tradeoff. I can guarenttee I could build you a Linux server so tight only the true elite would root it.... but how usuble will it be? Not very. The problem demonstrated here is that very tradeoff, MS wants usabliity, so do the unwashed masses. Makes it easy to exploit. Tighten it up and the unwashed wonder why they cant download their porn without some popup telling them that this download or link could be malicious and to proceed after the seven other warning they would get.

What's the solution in the end? Geeks like us educate the Great Unwashed maybe, I dont know. Certainly a different security paradigm than what Microsoft has.

Re:Hmm..

[f5426]

> Does anyone really think that the internet would be growing this fast if it weren't for MS.

You mean, if Microsoft did not consider Internet un-important and tried to promote their own non-internet MSN service instead in Windows 95 A ?

You need to stop beleiving the bullshit redmond throws at you. Microsoft have been surprised by internet, under-estimated the phenomenon, and tried (and failed) to control it. Now they want to make you believe that credit is due, while they did their best to slow it down.

The only credit Microsoft have is the very impressive turnaround they did in 1996-98. I would never have beleived that such a big company could react that fast.

Cheers,

--fred

Re:Inaccurate

[f5426]

> OK. My apologies. :)

OK. Let's say I remove this comment about the placement of your head. :-)

You know, I just commented on your first sentence, and I must admit nor having read the rest of your post. So much of intellectual honesty. You were such an easy target...

> I would go into a long rant here about my personal belief that unweildiness of Mozilla

That would be interesting. I find mozilla code awful, and beleive that the original sin was to make 'dynamic' code with C++. When I look at the code, I pity them, as they took great amount of pain to code in C++ things that would have been natural with Objective-C. Of course, I am biased on this :-)

Cheers,

--fred

Re:Inaccurate

[f5426]

> first off, Creating something like BIND is infinitely more difficult than something like MSIE--

Gently put your head out of your ass. You obviously don't know what you are talking about. Bind is a two-banana hack compared to MSIE. MSIE have about the same complexity as Mozilla. Ever looked at mozilla source code ? Ever tried to build it ? Now take a look at BIND source code. Build it. Draw you conclusion in term of complexity.

A BIND bug is very serious because it can compromise huge segments of the network. But people that run BIND know what they are doing (or should know). And there are alternatives.

A MSIE bug is very serious because it can compromise a huge number of individual hosts. Furthermore, people don't choose to run MSIE, they have to, or they just don't know that they are running it. And you can't remove MSIE from a windows machine.

So, IMNSHO, a MSIE bug is more serious than a BIND bug.

Cheers,

--fred

Re:Not Suprising

[Chester K]

Then again, it wasn't CmdrTaco who posted this, but we're making strides.

I'm impressed with the comments I've seen moderated up so far. Usually stories like this are flooded with comments like "Microsoft sux0rz, this is why Open Source is better!"

Isn't it funny that when a bug is discovered in Microsoft software, it's a victory for Open Source, and when a bug is discovered in Open Source software, it's a victory for Open Source?

Re:Pet Peeve

[sydb]

You are delusional [google.com].

Windows has existed in its present forms for about five years.

I presume you are judging the OS by the GUI. Windows NT version 3.1 was released on July 17, 1993. The GUI was different, but the architecure was there, care of David Cutler.

That was the release date. Microsoft recruited David Cutler in 1988, well before Linus started [clug.org].

Superior UI? Look at the quality of window managers. I'm sorry, but Sawfish, Window Maker and Enlightenment all kick Windows' butt when it comes to utility and control. And themability makes them look good too.

OO Architecture? Um, I think you'll find Gnome and KDE are riddled with OO.

Greater variety of hardware? NT had x86, Alpha [alphalinux.org], MIPS [lena.fnet.fr], even PowerPC [linuxppc.org], but they're all unsupported now. The free OS's easily wipe microsoft's peachy behind with their portability and the number of actual ports. All of those above plus loads more [linux.org.uk].

They've had the desktop market since the PC clone became popular. There wasn't a real desktop market before this. They didn't take that from anyone.

Yes, NT is taking share from Unix. But the free OS's, chiefly Linux, along with the rise of the Internet, is challenging this.

MSFT has perhaps produced a greater volume of useful code in five years than anyone else ever has
No, they just keep re-releasing the same code with new bells and whistles. The bulk of the code has been made by other companies, later bought up by MS.

Perhaps you can tell I do not like MS. I grew up with MS and I used to love their products. I still like the style of their early manuals (when you got them). But maturity and familiarity have given me perspective. I think you need some too.

Re:Not Suprising

[Fervent]

No, the shocker is that a Microsoft bug was posted on Slashdot with the (entirely unbiased comment I might add) phrase "patch now, patch now". For once, Slashdot is caring about those who view their site from the other side of the fence. Then again, it wasn't CmdrTaco who posted this, but we're making strides.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Inaccurate

[Reality Master 101]

Oh, and thanks to Microsoft innovation - you may remember this from the trial - the browser is integrated with the OS, [etc, etc]

That is inaccurate. It's thanks to an object oriented operating system that we have this problem. Ever heard of the term "reuse"? It's a feature, not a bug, that you can reuse components in various applications without having to rewrite them.

KDE would have exactly this flaw if the Konquerer component had this flaw and an e-mail reader used the component.

In short, I wish people would stop with the idiotic Microsoft bashing. All software has bugs. Let's fix it and move on.

--

SP2

[Alien54]

For those of us not so enlightened as to use netscape or mozilla, this means another trip to the microsoft website.

Special note of warning, the website has been more messed up than usual over the past few days, especially in trying to download the 5.01 sp2. I'm still trying to find the full package in one compressed file so that some folks can save the bandwidth.

My opinion: reports and pr to the contrary, the bit and piece auto install over the net is not more convenient. Especially when you have poeple mobbing sites for an update.

But if you are here reading this, you probably know this already.

Check out the Vinny the Vampire [clik.to] comic strip

This has happened on many browsers before.

[Bungie]

I don't know what the big deal is here. This has happened to many other browsers before, including older versions of IE. With new standards, scripting and virtual machine technologies being implemented in browsers continually, it is expected. It is a simple browser vulnerability, and that is all.

This is not new, if you read Bugtraq [security-focus.com], or even Georgi Guninski's page [guninski.com], you will see this and many other exploits are a common occurance in many browsers. Even browsers that handle only plain html like Lynx have been proven vulnerable at times.

Since IE3, many vulnerabilities like this have popped up in MS's browser. IE3 was far worse, as both the Windows and Macintosh platform could both be explotited in terrible ways. Also, we can't forget the famous Netscape Brown Orifice [brumleve.com] exploit, which Netscape admittedly [netscape.com] couldn't even fix in their 4.x series of browsers. I'm sure there are some fine exploits waiting to be found in the lesser used browsers too, but they are just far less reviewed by the security community.

Now I don't think its right that such vulnerabilities exist, but bugs will always be present in software. Internet Explorer just happens to use a lot of mixed technologies and therefore there are more ways for it to be exploited. This is nothing more than someone exploiting a vulnerable version of BIND or RPC. The only difference I find here is that Microsoft is involved, and thus makes a good sensationalist Slashdot target.

I hope this is enough of a definition for you.

[loucura!]

Below is the link to the explaination of said hack, that includes 'source' et al.

http://lists.nat.bg/~joro/webctrl2.html

and the URL from ZDNet that linked to it.

http://www.zdnet.co.uk/news/2000/35/ns-17763.htm l

Demonstration is available at: http://www.nat.bg/~joro/webctrl1.html

Workaround: Disable Active Scripting

Damn you Microsoft!

[deran9ed]

csh-2.04# explorer
csh: explorer: command not found

oops... I'm not on Windows...

April Fools is coming!@!

Macroshaft Security Bulletin (MS01-069)

Patch Available to Improve Packet Pigeon Performance

Originally Posted: October 22, 1999

Summary
MacroShaft has released a patch to ensure delivery of packets via Packet Pigeon birds. This is long overdue and is a must secure vulnerability on all MacroTrash products.

Frequently asked questions regarding this vulnerability will always be laughed at MacroShaft [macroshaft.org] and AntiOffline [antioffline.com]

Issue

The Packet Pigeons used in large cities were sometimes affected by those in the geriatric stages of their lives, as these 60+ year olds fed Packet Pigeons en route to their destinations causing a denial of service.

Affected Software Versions

• MacroShaft Windoze NV 4.0 Crashstation
  
• MacroShaft Windoze NV 4.0 Server
  
• MacroShaft Windoze NV 4.0 Server, Enterprise Crash Edition
  
• MacroShaft Windoze NV 4.0 Server, Terminally Ill Edition
  
  

Patch Availability

• x86:
  http://download.some.0-day.warez.com/at/some/other /site
  
• Alpha:
  http://download.some.0-day.exe.files.com/else/wher e
  
  

(NOTE: MacroShaft really cares about it luzers.)

More Information
Please see the following references for more information related to this issue.

• MacroShaft Security Bulletin: Frequently Asked Questions,

http://www.MacroShaft.org/cgi-bin/display?=%2edev% 2enull

• MacroShaft article MS.Kills [antioffline.com], How Microshit products may be actually killing its users, (Note: Read our new book "Hax0ring sluts for fun and profit.")
  
• HURT Advisory NY-69.4u, Topic: Campbells soup set to release new product,
  http://www.antioffline.com/scriptkiddiesoup.html

Microsoft Insecurity Advisor web site, http://www.wiretrip.net

Obtaining Support on this Issue
This is a fully supported patch. Information on contacting MacroShaft Technical Support is available at http://support.macroshaft.and.all.of-its-h0es.com

Acknowledgments
MacroShaft acknowledges deran9ed/sil of AntiOffline for bringing this issue to our attention and we will up his p0rn quota to 2 gigs.

Revisions

• October 22, 1999: Bulletin Created.

THE INFORMATION PROVIDED IN THE MACROSHAFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MACROSHAFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, OR EVEN EXORTED INTO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MACROSHAFT CORPORATION OR ITS WHORES BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES TO YOUR PORN DIRECTORIES NOR PACKET PIGEONS, AND POKEMON, EVEN IF MACROSHAFT CORPORATION OR ITS H0ES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. PEOPLE OF GERIATRIC AGE SHOULD HAVE THEIR LICENSES REVOKE AND THROWN INTO LABS TO SERVE AS LAB MICE. AND IF YOU ACTUALLY READ ALL OF THIS THEN YOU MUST BE AS BORED AS WE WERE. ANTIOFFLINE RESERVES THE EXCLUSIVE RIGHT TO POKE FUN AT YOU, WITHOUT INDEMNIFICATION, OR GRIEVANCE TO YOUR PATHETIC COMPLAINTS. SOMEONE SHOW ME WHERE THE CAPS LOCK KEY IS!@!

(c) 2001 AntiOffline Corporation. All rights stolen. Terms of Use.

You have received this e-mail bulletin as a result of your moronic use of our Products. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to WE-PAY-NO-ATTENTION-TO-YOUR-MAIL@MACROSHAFT.ORG The subject line and message body are not used in processing the request, and can be anything you like.

For more information on the MacroShaft Security Notification Service please visit http://www.packetstorm.securify.com For security-related information. For MacroShaft products, please visit the MacroShaft web site at http://www.macroshaft.org/ more advisories like this can be found here [antioffline.com]

previous versions

[Anonymous Admin]

"Microsoft tested IE 5.01 and IE 5.5 to assess whether they are affected by this vulnerability. Previous versions are no longer supported and may or may not be affected by this vulnerability." You are on your own.