MSIE Security Worsens: Patch Bungled

mansoft was one of several to send us a followup to last week's story about the massive MSIE/Outlook security hole. He points us to this Wired news article: "Your computer may not be protected against a recently discovered and dangerous security hole -- despite all claims to the contrary from Microsoft." Ack! If you tried the patch and got the message, "This update does not need to be installed on this system," you may need to upgrade your IE and re-patch. I'm amazed at how poorly this has been handled. I'll be even more amazed if there is no fallout. If Melissa or ILOVEYOU had been able to install backdoors as they spread, that would have really, really sucked. Update: 04/03 04:24 PM GMT by J : According to this Wired story, Microsoft was given six weeks of silence to prepare and issue the patch.

Re:$1

[Anonymous Coward]

you forget that no one that uses windows even cares. The typical person using windows knows nothing of updates or even installing anything. If their computer does fuck up or completely crash, they just see it as a normal occurence and take it to the computer shop as if it were a car getting a oil change.

Re:Seriously...

[Anonymous Coward]

I'm not sure its a fair point to say "anyone who can't keep a windows box up for more than a day is a moron". I thought MS products where supposed to be easy to use? And instability is not attributable to the users. The fact is the users shouldn't be able to crash a system at all. That's considered a bug in real operating systems and generally fixed promptly.

As for how annoying it is to have to reboot the OS for a relatively simple application patch to be installed, you've never run anything else have you? You can replace the bloody C library and devices drivers in Linux without rebooting, let along a simple browser patch.

As for it not mattering, you've also never had to support 500 desktops have you? So is it really any wonder MS don't get such good press. Would you be so defensive if your weekend was spent patching 500 corporate desktops due to someone elses fsck up? I didn't think so.

Go back to playing games and thinking you know what you are talking about.

Nobody will care till its exploited

[Anonymous Coward]

A potential threat doesn't count.

A. We've had self propagating trojans

B. We've had breakins at major web sites with web page defacements.

Now we have the link for A+B, a way of automatically downloading a trojan onto most peoples computer from a cracked web site page.

Can you imagine the damage it would do to Microsoft's image and the image of Windows if someone exploited this? Maybe 90% of users won't install the patch and those users are sitting targets.

So please Script Kiddies, DON'T DO THIS, it is bad and I am older than you and I know best.
Bad kiddies, BAD BAD BAD.

Biased

[Anonymous Coward]

You guys sound like nobody ever finds any holes in Linux.

BIND? Remote execution of code? A self spreading trojan so simple an 8 year old could use it?

Slashdot
News for Linux. Stuff that's biased.

Re:If Netscape would just get off their ass

[Trepidity]

Konqueror runs on Windows now?

Re:Biased

[Trepidity]

Almost everything (of which Linux is just a few percent) has better security than Microsoft products

Except Netscape of course, which for some reason UNIX users continue to insist on using. How many security releases is the 4.x series up to now? 4.77 just came out this week, so I think we're up to at least 20-30 security patches, many of them for serious holes.

Re:...blow your byte limit, wipe your drive...

[Trepidity]

You keep unencrypted credit card details and account passwords on your computer? That's not a very good idea.

Cheap red herring/spin doctoring

[Tim Doran]

"Scott Culp, Microsoft's security program manager, said on Friday that the flaw exists only with a few out of several hundred MIMEs that are used to encode files as e-mail attachments."

In other words: "Chrysler spokesman Corporate G. Bastard said that although every Chrysler vehicle produced in the last year could be unlocked, its alarm disabled and driven away using Bic brand ballpoint pens, the vulnerability exists only for a few of several hundred colours available."

This is the worst (ie. least skillful) spin doctoring I've ever seen. Just because all MIME attachments don't open your machine's front door, well, we shouldn't worry about this "typical software error."

Re:Slightly O/T

[stephend]

It's the same problem with all commercial software: they have to pretend that their software is perfect.

If they have to distribute patches for *anything* they are saying that they made a mistake. That's like admitting liability, and what would an insurance company say about that?

Microsoft has tried to cover it up by including enhancements (service packs) and making it automatic (Windows update) but we all know these don't work properly either.

I recommend you read Neal Stephensons "In the begining... [amazon.com]" as he talks about all of this in much more detail.

Com'on

[Repvblic]

No one honestly expects any microsoft product to be secure. It's the virus attacks that wipe out your system that keep it running so well, since we all know that after 6 months all versions of windows need to be re-installed or they stop running correctly.

Re:Overstating Things

[GypC]

What did they spell out clearly? That the patch may not work and you may still be vulnerable to exploits? Really? Sounds unusually honest.

Re:Opera

[GypC]

Are you talking about http://mi-net.dynup.net/ ? I just ran it through http://validator.w3.org/ and got loads of errors.

Opera isn't very forgiving of bad HTML, sorry.

Being a new web author you should really spend more time at http://www.w3.org .

...blow your byte limit, wipe your drive...

[leonbrooks]

If people get access to my PC, why should I worry?

...borrow your credit card details, passwords to any/all accounts you access through the machine, use your machine to break others (thus dropping you in the pooh en passant), post emails and the like in your name, yadda yadda yadda.

Trust me, it's not a good idea.

Re:If Netscape would just get off their ass

[scrytch]

> If you're not morally opposed to running KDE, you should give serious thought to trying out Konqueror. It runs using the Gecko rendering engine

It does not. It uses KHTML, which is not based on Mozilla code.
--

Re:But will IE use slacken?

[Dr.Dubious DDQ]

the assumption that Netscape is more secure[...]Yeah, so go ahead, feel happy and surf the web with Netscape 4.7x[...]

Who said anything about Netscape? What I want to know is has anyone found any security problems in Konqueror, Galeon, or Opera.

And ARE there any...

---
"They have strategic air commands, nuclear submarines, and John Wayne. We have this"

Re:If Netscape would just get off their ass

[sammy baby]

I kinda hate posting this, just because it's such a predictable old saw, but...

If you're not morally opposed to running KDE, you should give serious thought to trying out Konqueror. It runs using the Gecko rendering engine, but has the added benefit of... well, you know. Not crashing constantly. It also runs very quickly, orders of magnitude faster than the last 'zilla build I tried (m18).

The only problems I've had with Konqueror involve javascript-heavy sites, and I really don't feel I can blame that on the browser.

Re:Biased

[Sloppy]

Hey dude, you're the one who brought up Linux; the story didn't. Nobody said Linux and all the assorted Unix tools out there are a special case that are better than average in terms of security.

Microsoft is the special case here. Almost everything (of which Linux is just a few percent) has better security than Microsoft products, because even most below-average-intelligence programmers know that data != code. At least when Linux or BSD or MacOS or Amiga or QNX or OS/2 or BeOS fucks up, it's usually just due to a bug, not due to the really stupid premise that external data should be executable (and with full privledges!).

Microsoft is damned lucky that most of the exploits up to now have been so benign. It's pretty clear that whoever has been writing them, has been pretty Microsoft-friendly by just doing proof-of-concepts and having fun, rather than actually causing serious damage that would make users demand a serious response. (And before someone goes off on how many thousands of dollars their company lost due to ILOVEYOU or Melissa, count your blessings that you got off so easy.)

---

Re:If Netscape would just get off their ass

[Sloppy]

What makes you think that would work? There are already plenty of non-sucky browsers out there. But MSIE is the one that come preloaded on 'Doze systems. You can't even move the icon off the desktop into the recycle bin or a "MS Stuff" folder.

BTW, making a browser that doesn't suck, doesn't really require much in the way of resources. It's pretty much just a one-man job. Web browsers aren't particularly difficult apps. They only start to get hairy when companies like MS start trying to turn them into desktop shells.

---

Overstating Things

[augustz]

"despite all claims to the contrary from Microsoft"

For those of us who read the security notice Microsoft released, this is old news because Microsoft spells it out clearly and did so when the patch was first released.

Re:Biased

[Black Parrot]

> You guys sound like nobody ever finds any holes in Linux.

> BIND? Remote execution of code? A self spreading trojan so simple an 8 year old could use it?

Woo-hoo! How many Windows holes have been discovered since the BIND hole was?

--

Testing and QA

[Wonko42]

Before Microsoft puts anything on the official Windows Update site, they run it through the QA department for testing. Their testing procedures are very rigorous, so it takes some time. In any case, the untested patches are always announced on NTBugTraq and other security mailing lists. These test procedures are a good thing -- they make sure bugs like this one don't take advantage of the helpless users who click on the Windows Update icon and expect everything to go smoothly.

--

Re:Seriously...

[Platinum Dragon]

Why the hell is it that every one of the linux zealots that read and post to slashdot BITCH AND MOAN about Microsoft products, claiming that they're the most worthless piece of shit software company on the planet?

Probably because a lot of us have watched Windows crap out for no discernible reason, under loads and uses that Linux and the *BSDs regularly chew up and spit out. I've watched both the cruddy 9x series, and the slightly more stable NT 4 collapse for bizarre reasons. Watching a DVD shouldn't cause a lockup. The OS shouldn't need a reboot every once in a while to "speed it back up." As for NT, watching someone nearly snap because an out-of-nowhere crash wiped out the video they'd been editing is *not* fun. I guess one could argue that NT 4 wasn't made for video editing...but then, why where these rather expensive machines purchased, and why did the company that sold them choose NT as the platform?

It's that inability to handle regular, everyday use without very careful shepherding that drove me - DROVE ME - to install Linux in the first place.

Incidents like this do not help. It's good that Microsoft mentioned in the initial patch summary that people who got a "this patch is not necessary" message needed to install it anyway - but then, that message shouldn't have popped up in the first place.

Too much crap wasting too much of my time. That's why I stay away from MS software whenever possible.

Re:In fairness to Microsoft

[atlep]

So, basically you're saying that:
- it is OK for M$ to not offer pathces for older versions since there exists a nev version to be downloaded.
- it is OK to leave bugged pathces for download, because everebody can read somewhere that the patch is bugged?

I will say that a company like M$ should have the resources to do some proper quality control before giving out new software. I'm not saying that IE should be guaranteed to be bug-free but the patch should at least have been tested with several verions of IE first. This is so simple and basic....

M$ cannot force every end-user to download huge version of IE because M$ cannot be bothered to give out pathces for older versions! For this there are at least two reasons.
1. dl'ing IE takes TIME, especially for all those who still use analog modems.
2. Not everybody needs (for other reason than removing old bugs) or wants these upgrades.
M$ should show some responsibility, then again why should they as long as they have monopoly?

Say no to addictives, say no to .doc

Re: erk...

[mpe]

GNOME is being designed fromt eh ground up to avoid the very things microsoft calls "features" but are really just inviting back doors.

These "features" are also known as "spaghetti code"...

Re:If Netscape would just get off their ass

[mpe]

they have decided to build in all these nice features, like HTML rendering of e-mail and atttachments opening automatically when double clicked.

It's impossible to have an email program which can render HTML emails without simply throwing them at a browser? It's impossible to have an email program which can tell the difference between application data files and executables?

Re:Slightly O/T

[mpe]

I believe Microsoft has actually done a good job with this. First, Windows includes a prominently placed "Windows Update" menu item, which most users will click on just by accident often enough to be useful. Second, they're training users to update the OS by including "cool" updates like Microsoft Messenger and Media Player alongside more mundane updates.

All of this kind of thing targeted at the standalone/home user.
When most damage is done by the security problems with corporate networks.
Effectivly it's a variation on "expect the end user to be the sysadmin".

Re:market share

[macpeep]

Netscape 5.x is what is in the user agent string of Mozilla.

Re:market share

[macpeep]

What I meant was that Netscape 5.x is caused by the user agent string of Mozilla, which is what you said (Mozilla/5.0 ....).

Re:market share=incorrect

[macpeep]

Look, I'm not making these stats up. I'm not the one who coded the app that collects the stats but you do have a point that the lack of ME is weird.

I assume it's not under "other" because that share is so low. These all come from the user agent strings so whatever a browser under Win ME would identify itself with, that's what would show up here. Anyone with Windows ME who can tell us? I would also not be completely surprised if the guys who wrote the stat app just thought that ME is basically 98 SP2 and decided to combine the stats under "Windows 98".

Also, if anyone else have similar stats, I'd like to see those too - if nothing else but to compare how "average" our stats are.

Re:market share=incorrect

[macpeep]

I started wondering about the lack of Windows ME and I found an answer to the question in a message by Jerry Baker in a Mozilla newsgroup:

FROM: Jerry Baker
DATE: 07/15/2000 07:39:03
SUBJECT: Properly reporting Windows Me

Well, Windows Me has been released to manufacturing and is supposed to
go gold in September. I`m just curious if we want to setup
/mozilla/netwerk/protocol/http/src/nsHTTPHandler .c pp to recognize it.
Some might say that Mozilla should just continue reporting it as Win98,
but I don`t think so. Just as Win98 was really just an upgraded Win95,
so ME is to Win98. It is a different OS and should be reported so that
people widhing to detect the presence of this OS can find it (such as
measuring its adoption rate, etc.).

The real question comes down to how to report it. It looks like Mozilla
is trying to provide UA compatibility with IE where possible (a good
thing), but IE has an interesting take on Windows Me. The info I have so
far shows IE reporting Windows Me as

Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)

To me that seems ridiculous. Should Mozilla go ahead and follow MS`s
previous "standard" and report it as "Windows ME", or use Netscape`s
"standard" and report it as "WinME"?

What do you think?

--
Jerry Baker

PGP Key:
http://pgpkeys.mit.edu:11371/pks/lookup?op=get&s ea rch=0xD0AEE429

Re:What if this happened to Linux?

[macpeep]

The guy goes "Modify the source to do all sorts of decryption and hacking" and gets modded up for "insightful". Hello?!

It doesn't matter if the source is available or not. A worm or virus that gains access to the system - any system - can do anything it wants. Period. There's absolutely no difference if it's Windows or Linux, except that on Windows (especially the non-NT variants) code would more easily be run under an account that has more access to the machine (administrator, system etc.). On Linux and other UNIX's, typically, the worm would be executed under some non-root account and have only limited access to do harm. On a properly set up Win NT box, it's basically the same tho.

market share

[macpeep]

The company I work for hosts a *large* number of sites for all kinds of companies - both B2B and B2C. For the record, the sites are in Finland *mostly* but they should reflect pretty good global market shares as well.. The combined stats from all those sites are as follows:

(btw, like for Slashdot polls, if it doesn't add up to 100%, it's due to rounding errors)

Browsers:

MSIE 5.x 75.79%
MSIE 4.x 13.67%
Netscape 4.x 9.28%
MSIE 3.x 0.44%
Netscape 3.x 0.36%
Netscape 5.x 0.22%
MSIE 6.x 0.15%
other 0.09%
Netscape 6.x 0.01%

Operating systems:

Windows 98 64.17%
Windows 95 18.18%
Windows NT 15.92%
Macintosh 0.95%
Linux 0.33%
Windows 3.1 0.23%
other 0.19%
Misc Unix 0.05%

I think these stats show a couple of things:

1) Windows OS's have a HUGE lead over anything else. Macintosh is lower in Finland than it is in the USA, I'm sure, but then you'd think Linux is higher here than over in the USA...

2) IE has a HUGE lead over Netscape and anyone else, with almost 90% market share

3) IE 5 has a surprising amount of users - I was expecting IE 4 to have a much higher number relative to IE 5. I think this shows that people are actually upgrading their version 4 IE browsers to IE 5 themselves and not just sticking with what came with the OS - otherwise we'd see more IE 4's.

4) Mozilla + Netscape 6 are completely marginal at this point, though I'm sure they will slowly grow. At this point, there are even more Netscape 3 users than there are Netscape 6 users! Even IE 6, which only has had a beta out for about two weeks is higher than Netscape 6 right now.

I don't know about the rest of you, but I'm pretty surprised at the huge Microsoft domination in these stats; both OS wise and browser wise. Considering security problems like today, it's a little scary, because Joe Sixpack will NOT install security patches. At least the stats seem to show that users do update their browsers every now and then..

Re:Biased

[macpeep]

Yeah. I know.. I was just thinking that too.. Weird how people have such selective memories. Netscape.. let's see:

4.0
4.01
4.02
4.03
4.04
4.04a
4.05
4.06
4.07
4.08
4.5
4.51
4.7
4.71
4.72
4.73
4.74
4.75
4.76

and a few days ago, 4.77 appeared on Netscape's FTP sites even though Netscape 6 (don't even get me started!) was released.. Oh.. And Netscape 6 is actually at 6.01 now.. Yes, you guessed it.. a security patch release. I'm sure I left out some 4.x versions, but notice that only a couple of those are feature releases (4.5, 4.7 and 4.06 if memory serves). For many of those releases, way more than one bug has been patched. So to claim that this is a Microsoft-only problem is just plain wrong.

Re:If Netscape would just get off their ass

[BZ]

M18.... Right.

0.8.1 is not "orders of magnitude" faster than M18 (as in not over 10 times faster). But it _is_ 2-4 times faster, I would say.

And you can absolutely blame your browser for not handling JS-heavy sites correctly assuming the sites in question use the W3C DOM (and some do).

Re:But will IE use slacken?

[kettch]

I think that microsoft seriously needs to change the way that they release security updates. First, they need to always make sure that all fixes can appear in windows update. Second, they really need to create period mass updates for download that contain a series of smaller updates.

I want to be able to download a 100 meg file that i can burn to cd that contains all critical updates, security patches, and compatability updates and service packs that have been released since win2k was released. It really is a pain in the rear to have to update a computer that is on a dialup, or spend the time doing windows update when i could just whip out the cd and fix it all right there. The same goes for IE.
----------------------

it was possible

[CAIMLAS]

it was possible for the melissa/ILOVEYOU programmers to write code to install a back door. Given all the exploits out there, and how infrequently people patch their computer software (most people at least), there's a pretty high likelyhood that most windows systems have at least one or two such security holes open.

The whole situation's just pretty darn funny, if you ask me.

-------
CAIMLAS

Re:Slightly O/T

[QuantumG]

dare I say that their software is crap and their windows update program exemplifies that (I've used that word twice today).

Re:If Netscape would just get off their ass

[QuantumG]

there are many little things that piss me off, and some of them I have to blame on X I must admit.

Re:What's the difference from a patch?

[QuantumG]

You say you got a real solution, we'd all like to see the plan.

Re:Who do you want to sue today?

[QuantumG]

bingo. Now say goodbye to your lawyer and put the cell phone down. You have no legal recourse.. what you can do is not buy the crap (pirate it, run linux, I dont care) and go hang out at your local software selling shop (what do they call them anyways) and tell people not to buy it. "Hey pal, what ya doing?" "I'm buying this copy of winMe" "Oh no, you want this mandrake cd." "no I dont, get away from me you freak" "ok ok, here's a burned copy of me, and just incase you change your mind it's double sided, linux on the back". Now that is activism.

Re:What's the difference from a patch?

[QuantumG]

No, that is exactly the reasoning. Unless you can do better, keep your trap shut.

Re:Mozilla

[QuantumG]

Slow menus. I dont see it pal. If you want stuff to bitch about mozilla, there's plenty of things. Like the search box opening at the top left of the screen instead of in the middle, the status bar that always displays "resolving host" even though there's all this code in mozilla to cache host resolution, the back button that refuses to go back to dynamically generated pages that use post data (when I press back I want the exact page that I was on, I dont want you to connect back to the server and download another one!), the default of open new window at homepage (I always turn that to last visited), the fact that the key bindings are not the same as netscape 4.x (yer, that's a triviality but why did we move to microsoft's key bindings?) The list goes on. Speed is definitely not something that I feel, but all these trivial things add up, and can start a guy considering fixing stuff.

Re:If Netscape would just get off their ass

[QuantumG]

why would you be morally opposed to running KDE? It's GPL.

Re:What's the difference from a patch?

[QuantumG]

Oh please, mix that analogy up baby. Did you happen to pay any of the mechanics over at the Mozilla project? Does your mechanic often try to do something that has only successfully done three times in history? If you want Mozilla to be better, get off your arse and fix it. If you dont have the skillz, then just shut the fuck up and take what you're given. Sheesh, perhaps you could even drop off a few hundred grand for programmers eh? I'll tell you want. If you can start a company, find a few dozen programs, pay them and then produce a better product than Mozilla and successfully sell it for a profit, then I'll honour your mechanic analogy.

Re:If Netscape would just get off their ass

[QuantumG]

downloaded the lastest mozilla build? No, of course not, you're opinion is completely based on last month's releases. Shit, I'm almost tempted to actually submit a patch or three, it's getting that good.

Re:April FOOLS!@!

[QuantumG]

do you think all them kids who used to type in CAPS back in the day are all lawyers now? It would explain a lot.

Re:erk...

[Tackhead]

> As for the "professional courtesy" part, I seriously doubt that that has anything to do with it. In my opinion, among others, these things limit the spread of concept virii on Linux:

In addition to fragmented software and development speed, there's one very important reason the skr1pt k1dd13z don't attack Linux boxen, which is this:

If all the poorly-administered Linux boxen in the world went down tomorrow, where would they launch DDoS attacks from?

Re:...blow your byte limit, wipe your drive...

[Tackhead]

> But emails can be forged by anyone with access to port 25 on an SMTP server

Cripes, you had to make me wonder why nobody (ILOVEYOU, etc.) has launched one of these Windoze viruses through an anonymizing open relay out of China.

1) 0wn some poor fux0r's insecure Linux box.
2) Install ssh and tunnel your way to a shell on it.
3) From the 0wned box, telnet to port 25 of an open relay that masks the IP of the spammer and send a few thousand ILOVEYOUs or Melissas.
4) Wipe the logs, the rootkit, and then cp /dev/random /dev/hd0
5) Sit back, relax, and watch the networks melt down.

The use of an anonymizing open relay makes the only publicly-available trail go back to China. The admin may not even know his box is being used as an open relay, let alone keep logs of it.

The use of an 0wned box means that if the Chinese admin keeps logs, the logs will point back to the innocent victim.

The innocent victim's hard drive will be largely wiped when FBI comes knocking on his door. Can you say "Guilty unless proven innocent"?

With the drive and logs mostly wiped, good luck finding the evidence that the box was 0wned and the logs showing an incoming ssh connection from the real perp.

Hell, good luck finding that out even if /dev/hd0 hadn't been wiped.

We're vulnerable. We have been for years. And the only thing we can be thankful for is that skr1pt k1dd13z are morons. The real adversaries are just biding their time.

Re:Not on MS security notification service EITHER

[Cy Guy]

While I agree that anyone who has admin responisbility for machines running MS must be on the Microsoft security notification service distribution, it would not have helped in this case as they haven't issued a notice of the faulty patch yet. The last bulletin to go out was MS01-020 [microsoft.com] on 3/29/01, and is still revision 1.0 (it hasn't been updated). While it does contain the caveat that the error message should be ignored, this is buried more than 2/3rds of the way through it and is not highlighted in any way other than being under the sub-heading caveats. The caveat MUST be displayed in as obvious a manner as the message will be that the patch is not necessary.

My question about this hole is that the MS Security Bulletin keeps phrasing it in terms of an "HTML email" but notes that the "HTML email" could be hosted on a website. This sounds like a deliberate attempt to downplay that is a hole in the MSIE browser itself, not in one of MS email products. I think this may relate to the fact that the Court of Appeals has yet to rule in US v. MS, since this hole demonstrates clear consumer harm from MS bundling/integrating the browser with the OS and MS's main argument before the Court of Appeals is that the government did not prove consumer harm.

Forcing to upgrade

[gotan]

And as a nice sideeffect everyone is forced to upgrade his Browser. Even if the upgrade is free this has some implications. My major concern would be changes in the Licensing terms, i.e. what you are allowed to do with that browser and the files with your data it is managing. See here [troubleshooters.com] why this might be a concern. As an example, if it manages your email, and that updated browser is using a proprietary format to save it you're suddenly tied to that productline if you want to keep that e-mail. Extend that to address-lists, bookmarks, etc.

So i think there are valid reasons not to want a free update, but security-holes that large are plain unbearable.

I've got *the* solution:

[gotan]

Let's do it from scratch ;-)

Re:Forcing to upgrade

[gotan]

The straight way to conspiracy theory. (Although maybe not, considering that much of todays consumer products have a "builtin" finite lifetime). But since enough older versions of IE are still in use (else the artilcle wouldn't be an issue) the question is, if it was really too much asked of Microsoft to provide a patch for those versions as well.

Re:erk...

[mattcasters]

The major difference between Win32 and Linux is that Linux has a good security model. Regardless of how bad Gnome/KDE-scripting, the possible damage is going to be limited to the users files.
Even with the worst possible scripting installed in terms of security, it still would be very difficult to gain root access.

Now the same can be said about Windows NT/2K but it's soo much easier to give yourself admin rights on these platforms isn't it? I wonder how many people like to work without it. The lack of an su command kind of takes the fun away...

Cheers,

Matt

Re:erk...

[mattcasters]

You're probably right in the end. I've been a unix sysadmin for a long time and I still have diffuculty adapting to the idea of only one person using one computer. (I think that the trend for the future will be different though.)

As for the "professional courtesy" part, I seriously doubt that that has anything to do with it. In my opinion, among others, these things limit the spread of concept virii on Linux:

- Fragmented use of software: people don't just use outlook & IE, they use a long list of different softwares and distributions. Fortunately, the competition between KDE & Gnome is still going strong, and there will always be different distributions people can use.

- The speed of development. By the time someone developed a concept virus, the mail-client wil have had 3 revisions of it's code base. As an example, KDE is releasing code at an amasing pace.

To finish, I don't really NEED a full blown attack, but it sure is fun to watch at times. ;-)

just my 2 -cents.

Matt

Re:Not on windowsupdate

[iceT]

It did. It's in the form of MS IE 5.01 SP2. The security bulletin noted that that version was not victim to the exploit.

Talk about narrow minded.

[Inoshiro]

I laugh my ass off at the poor BIND using admins as much as I do the poor IE using clients.

Really, I use djbdns. It's an alternative that is available to me, just like Mozilla is an alternative available to me. I use these programs every day, and I don't have to deal with any problems.

BIND sucks, IE sucks, most code sucks. Go for the relatively open stuff, stuff that is designed well, and you don't get these problems.
--

Re:Forcing to upgrade

[jesser]

You're expected to upgrade open-source software, too, especially when there's a security hole in an older version.

--

No wonder I couldn't install it...

[antdude]

I was wondering why I couldn't install the security fix for Windows 95 laptop with Internet Explorer v5.01.

Is there a way to force the install without upgrading to v5.5? Microsoft needs to fix this! :(

Re:No wonder I couldn't install it...

[antdude]

Hmm, I have been using all the post fixes for IE5.01 since M$ products always have bugs.

Paraniod?

[friode]

Maybe this is just my paranoia speaking, but who else thinks this was deliberate? Now don't get me wrong, I'm not saying that it was a deliberate security hole, but the release notes for that patch said that basically that they hadn't tested for the security hole on earlier versions of IE than 5.01.

Now, it's changed to "the patch doesn't work for earlier versions, you should download the latest version so the patch will work". Where do they say that the hole actually existed on earlier versions of IE? And why doesn't it affect 5.01 SP2? Why the hell wouldn't 5.5 include whatever code was in 5.01 SP2?

I've got a better idea. Install Opera, or better yet, Linux.

Re:Slightly O/T

[Pfhreakaz0id]

The other thing folks is, people don't LIKE the restricted functionality that being security concious (it's too early to spell properly) brings. My father in law got mad when Outlook was changed to not let him run .exe's directly from the email (you have to save them first, so they can be viurs scanned & stuff).
---

Re:Opera

[Fross]

Me too.

always had my eye on Opera as it was pretty good, but i have to say 5 was good enough for me to register as well. it renders quickly, can use plugins, is incredibly stable, has many wonderful features for configuration and filtering, and can pretend to be different browsers for badly-written sites :)
I'm a web developer, and the only time I go into IE now is to doublecheck that its bad implementation doesn't break things i'm working on.

Fross

Re:no security model

[kb5vya]

At least things like this mean that Mr. Gates is insuring job security for people like me who are interested in network and internet security. It may not be the kind of security needed in this case, but it is some kind of security.

But will IE use slacken?

[}{avoc]

Sure, IE / OE, MS's webserver, etc. have all shown great flaws in the ways of security, but let's focus on IE for the moment.

First I want to get a few things out of the way. IE is good for browsing, but not for security. It opens fast, renders fast, has great support for CSS and includes many MS-only features (like customized scroll bar color on websites). Sure, this is really screwing over standards, but hey, It's MS. Your average user runs Windows, which is so conviently bundled with a copy of IE. Also, with something that runs fast and apparently well, your average user wouldn't want to upgrade, much less learn a whole new program if they're newbies. Plus, think about the chance that an average user would even HEAR about this! Very poor.

Sure, IE has huge problems with security, but because it's bundled, and so many people learn how to use a computer with IE (and IE integration into the OS), Netscape, Mozilla, and Opera (heaven forbit lynx gets used more) don't have much of a chance to break into the market. This is the problem.

For the people that read /., most of us will either continue using Netscape / Mozilla / etc, or we will consider switching, but then patch up and continue using IE. We would worry about the security. Your average user would see the patch, install it, and be more motivated to use IE ("they fix thier problems!")

So how can we get this to change? Make a huge chonologically ordered list of MS's security problems? Sure, but how would we get your average user to see it, much les pay attention to it. Even if we got copmuter retailers to install Netscape with every computer, would the average user want to wait longer for it to load, or not have as many pages compatable with it, or have a browser with a different UI style than their OS?

So what do we do?
Any ideas?

-Dan
I'm not reading what I wrote, and I just woke up, so please, excuse my ignorance.

Re:If Netscape would just get off their ass

[Deluge]

What makes you think that would work? There are already plenty of non-sucky browsers out there. But MSIE is the one that come preloaded on 'Doze systems. You can't even move the icon off the desktop into the recycle bin or a "MS Stuff" folder.

I've said it before, and I'll say it again: This is a load of crap. It was true back in the days of IE3/4 and Win95, but since IE5 came along, it's just a matter of right clicking on the icon and selecting "Delete". Or dragging it to the trash bin. Or unselecting "Show IE icon on desktop" in Internet Settings. Ya dig?

---

Re:Seriously...

[Temporal]

Oh... the old "I know this post will be modded down" trick. By some bug in the moderation system, you get modded up if you say that. *sigh*

I am no Linux zealot (see sig). I am posting this from Win2k right now. I use Debian Linux, Win2k, and MacOSX on a regular basis, and I like them all about the same.

I have to disagree with your post, however. Not only is it blatantly insulting, but it is insulting people for reasons that are beyond their control. Riddle me this: My roommate has a fresh Win98SE install on his system. If he leaves it on for more that 12 hours or so, he finds that Deus Ex gets really really choppy. Reboot and the problem is solved. Is that his fault? No, it is a combination of driver problems and a not-so-well-written OS.

Win2k is great. I have no qualms with it. Win9x is NOT. Just out of curiosity, which might your system be? Oh, and BTW, 4 days is not an impressive uptime.

I agree with your main point -- that the Linux zealots are out of control around here. However, you don't have to be a GOD DAMNED ASSHOLE to express that point.

Oh, I almost forgot. Yeah, I bet this post will be modded down because... um... moderators are stupid or something. Right? Right? So if you mod this down, you are stupid. Really. Trust me. wink wink, nudge nudge.

------

Re:erk...

[bmajik]

Unix has a terrible security model. You need to be root to do anything moderately useful, and if you're root, then you're able to fuck the system.

This gives us the current unix security fiasco - sendmail ahs never been a secure product, apache cgi, no one seems to make a secure ftpd, no one makes a secure bind, etc etc..

It's all ridiculous. If priviledges were granted/deny'd based on some finer granularity - perhaps at the syscall level, and in a way where programs/conditions authentticated themselves to the security policy, then these problems could be avoided.

For instance, rewrite the kernel and libc so that bind on a privledged port (80) succeeds for a non-root user, so long as the process is "apache", has a trusted md5 sum, was started by a user in group wheel, lives in directory /usr/local/bin/httpd, etc etc.

Then apache doesn't need to run as root even for a _little_ bit of the time.

Also, NT has "su". Look at "runas".

You're right though. Being non-admin on NT sucks, for now. Thats being worked on pretty actively.

Re:erk...

[bmajik]

I'm quite aware of all of those "solutions".

None of them change that fact that the _design_ is broken. No amount of great implementation can fix a broken _design_.

sudo isn't even relevant for what i was referring to - daemon processes (although you seem to acknowledge that).

As long as the only granularity is "god" or "shit", programs that are useful will need to run as "god", and they'll cause system-wide compromises unless they're written by security experts, have limited functionality, are designed with security as the primary concern, and the developers and administrators happen to get lucky.

Like I said, the design is broken.

Your firewall avails you nought

[dingbat_hp]

What use is a firewall against a mail client that can't wait to sink its teeth into anything remotely executable ?

At home I do lots of news, I get loads of Spam, and I have a decent mailer. At work I use minimal external email, never publish my address anywhere likely to be scraped into a list, and I'm pretty much forced to use Outlook. If these two environments were ever to merge, then truly my ass would be owned and all my bases would belong to someone else.

We don't need security patches. We need a mailer that doesn't have the trusting "I just want to be loved" behaviour of a lonely spaniel trying desperately to please. If M$oft saw email a bit more as being an Internet protocol, and less as something that's only used within a large corporate, then they might understand why this is such a dumb attitude.

Mailers just shouldn't trust incoming email.

erk...

[bencc99]

This is really starting to get ridiculous. I suspect it would be far less of a problem were IE (and it's renderer/scripting) and the other parts of windows scripting not so heavily integrated into the shell - at least people would have some kind of control.

What's more worrying is that the increasing integration of things like KDE and Gnome are heading the same way. Admittedly the problems won't be around for so long, but as the number of unclued linux users goes up I suspect things may only start to get worse...

Wow! I guess RMS can give up gcc

[Christianfreak]

because now even tiny viruses can read source code and change it and just change the system. Are compilers obsolete now? I guess I better get rid of Linux with all that open source code and get nice secure windows...</sarcasm>

Seriously this isn't possible, I can't believe that someone believed this FUD and modded him up.

"One World, one Web, one Program" - Microsoft promotional ad

Re:Forcing to upgrade

[DeepDarkSky]

...so it would actually be in some companies' best interest to keep a controlled list of security holes so that they have the flexibility of having patches that may change compatibility and licensing agreements? Perhaps that's why Microsoft software is as "buggy", because they need to have license "upgrade path"? :)

Slightly O/T

[MonkeyMagic]

It's quite interesting how the average computer user is unused to patching applications for security concerns/product upgrades. Most people won't apply this patch regardless of any problems the installation may or may not cause. It's just not something they are aware of - they have never really been told (by the software houses) that the product must be upgraded. When I first became interested in the unix world it was quite a shock to see the rapidity with which everyone spread the word about a major bug or (minor) security issue. This information doesn't filter down to average users, and they don't go looking for it (I find most www.linuxrules.org or www.macrulez.com websites as boring as hell so god knows how most people would find them).

I think it really is time that some of the companies that produce software started to make it clear that patching is an important part of software maintenance for everyone and not try to hide the whole process incase someone thinks their software is crap.


DILBERT: But what about my poem?

no security model

[DrSkwid]

well this is probably how /. ers would expect MS to go. With the usual MS model of release and then service pack the old one while working n the new.

IE 5.5 i mean come on, everyone knows it's not going to work until at least service pack 2 or three.

MS Security is a bit of a joke. I onlyhope my firewall will help me most of the time. Any day I sit down I expect to have been owned.

There shouldn't be any market niche for Virus checkers!
.oO0Oo.

Re:If Netscape would just get off their ass

[DrSkwid]

hehe I see this kind of comment :

Poster A : Mozilla sucks
Poster B : You should see last night's build - awesome

one month later

A : Mozilla sucks
Poster B : You should download last night's build

and so the treadmill continues

.oO0Oo.

Opera

[smallstepforman]

One word - Opera.

Seriously, if you haven't tried Opera, now is a perfect time. It ships on multiple platforms (BeOS, Win32, Linux... even Epoc ?), is HTLM4 compliant, fits in under 2 Mb, has tons of useful features to ease navigation/zooming/filtering. I've even registered it, it really is **that good**(TM).

Re:huh?

[Otis_INF]

I have the english version of 5.5 sp1. I'll check if I got the wrong patch (still stupid to release 2 files though :(, why not 1 patch) The files are no problem, but upgrading or re-installing IE on a machine that already has 5.5 sp1 is not possible.

Thanks, I'll check for that other 'patch'
--

Re:huh?

[ion++]

The other day when i upgraded work's few windows machines, i found out that there are 2 patches, with the same name, of different size. One works for IE5.01 sp1, the other for IE5.5 sp1. And ONLY the english version.

So, not only do you need the patch, you also need to upgrade to a newer, and switch to an english version.

Further more, if you already run IE5.5 in a non-english version, you're fucked. And if you dont have 62MB free on drive C: you are fucked too.

Dear microsoft, it's great you make it so EASY to be a sysadmin, and apply patches. NOT!


ion++

One more bug...

[rsteele19]

Ok, so they've found one more bug... how many more could there be? I mean seriously, IE's gotta be close to perfect now!

Re:Forcing to upgrade

[clare-ents]

True,

but the source modification is printed so you can simply apply it yourself if you want to and not upgrade.

Re:Biased

[clare-ents]

"
BIND? Remote execution of code? A self spreading trojan so simple an 8 year old could use it?
"

BIND is an application used by serious network administrators and should only be used by technically competent people.

IE is part of the underlying operating system and is present on all windows machines - even on those where it's not wanted.

Re:If Netscape would just get off their ass

[jayhawk88]

He said Netscape, not Mozilla. There's a difference, at least as far as Joe Internetuser is concerned.

Mozilla could be walking on water right now, but it doesn't change the fact that Netscape6 still sucks balls.

Service Pack 2 for Patch 1452 for IE 5.5

[heytal]

So now we need to have service packs for patches too.. ;-)

Re:If Netscape would just get off their ass

[YKnot]

Oh shut up. Will there be a version any time soon that is "officially it, the must download version"? If so, tell us about it, so everybody can finally download it and give this browser its place in the history of a competition won by MS. No more "the current release is just great" please. It isn't. The last one wasn't when you said it was and the one before wasn't either. I am willing to wait for good software, but I won't take any more bullshit about how great the development versions are already and how ueber-great the final thing will be. Don't tell me I should help the project then. The world is not all webbrowsers. Now mod me down.

Re:erk...

[YKnot]

User stupidity can't be cured by technical means. You will learn this the hard way. "What? I can't save porn to my home directory? Better change those permissions..."

No need to worry

[CaptainZapp]

You are absolutely right and I wholeheartedly support your opinion, if:

you use your PC to play [insert favorite game]

the main purpose is to listen to ripped off MP3s

the sole purpose is to watch pr0n

it's mainly used to troll /.

However, you should recognize that some of us actually use computers for professional purposes, that others are in charge of multy terabyte databases, that some of us are responsible to guarantee a mere 3'000'000 transactions a day on our clustered systems and that - if our systems crash - every minute might cost 10'000s of $.

Go ahead, use your PC as a toy, but please don't slam us professionals whose lifehoods actually depend on the fact that the systems for which we are responsible don't get corrupted.

You can go now and play with your personal computer

IE used by other programs

[tomknight]

Okay, I thought, I'll have to sort my PC out, so I'll upgrade to IE5.02. I only have IE on there because InstallShield for Windows Installer requires IE4 or above to work. I have no problem with this, reusing components is a good thing, right?

Well, that's all fine, until installing IE5.02 shafts the software I use to earn money. As it happens, I only wasted a morning sorting this problem. I hardly minded this, as I was suffering an immense hangover from my stag days and nights, and couldn't cope with anything demanding.

Still, if I had a deadline, I would have been mightily pissed off!

Tom.

Re:Not on windowsupdate

[tomknight]

This is why I subscribe to the Microsoft security notification service (http://www.microsoft.com/technet/security/notify. asp [microsoft.com]), not to mention NTBugTraq (http://ntbugtraq.ntadvice.com/default.asp?pid=31& sid=1#020 [ntadvice.com]). As a sys admin (among other things), I've found these two lists damn useful. They give more information than the average user needs, but if you're tech-savvy, and interested about what's going on, they're useful lists to be on.

Tom.

hacker .vs. cracker

[mark_lybarger]

i like how the author of the article distinguishes between hacker and cracker. the cracker being the one who can access your system through ie. the hacker who found the exploit. nice job!

In fairness to Microsoft

[phaze3000]

This was on the original bulletin:

Caveats: If the patch is installed on a system running a version of IE other than the one it is designed for, an error message will be displayed saying that the patch is not needed. This message is incorrect, and customers who see this message should upgrade to a supported version of IE and re-install the patches.

If users fail to read the advisory, I don't to see how this is Microsoft's fault. The original security whole was undoubtedly stupid; let us concentrate on that rather than this non-issue.

--

Re:In fairness to Microsoft

[skoda]

I've got IE 5.0 SP1, which would seem to have been supported. Yet the patch failed (with the message that I don't need to install it).

I looked through the bulletin and didn't see any mention of need SP2 for IE 5.0. Perhaps its there, but if so, was not obvious to someone wanting to get in, get the patch, and get on with life.

Now to get SP2 and hope that does it...
-----
D. Fischer

Now seriously...

[juliao]

How can we fix this kind of stuff once and for all? Any ideas?

I don't really have the time for testing, I'm a think-er, not a do-er, but let me know what you think.

The problem we have is that the browser/email client/whatever is in effect a shell.

This is a problem with Windows, but it's also a problem if you some day use Emacs to surf the Web and read your email. Not saying it would be a problem, just saying it could be a problem.

Now for the fixing part: Can we run the browser as SUID nobody? Can we run the browser chrooted? Can we do the same for an email client? (I'm just talking UN*X, here)

Ok, now the new micro-soft operating system actually has permissions on the filesystem, doesn't it? And you can actually do an equivalent of setuid, can't you?
Not sure about chroot, but then...
So why don't we create a user mailo, with very low permissions, no Write outside the mail client dirs, no Read either (except where mandatory), and run the email client as setuid mailo?

Can this be a starting point for something? Or did I have one drink too many last night?

Remember, we're engineers, we're supposed to fix stuff, not bitch about it...

-----

Uhhh

[Auckerman]

"You need to upgrade your IE and re-patch"

Troll time, cause this is just fucking stupid. I had someone ask me last night why I use a Mac and I found it difficult to explain how a bunch of little easyness adds up to a nice system. When this is a great example, even if Apple had such massive security holes and released a patch, they would NEVER give such idiotic instructions. It's like Microsoft is saying "We are too damn lazy to actually patch IE so that it installs without the massive security hole AND additionaly we are too damn lazy to write a patch that works on all affected systems, therefore you may have to upgrade your version of IE (how convient) then patch it"

Stupid, just fucking stupid. Get a clue Microsoft.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Not on windowsupdate

[Vollernurd]

If you read their security bulletins, the order goes something like this:

1. 'Issue' gets posted to the security site as a bulletin;
2. Patch is available as a download from the bulletin, or from other parts of the MS Security site [microsoft.com];
3. Eventually, it gets bundled to the Windows Update site.

Because patches require additional packaging and set-up for the Windows Update site, they are delayed by about a week, depending on dependencies.
---
Vollernurd.

Fallout?

[arfy]

>> I'm amazed at how poorly this has been handled. I'll be even more amazed if there is no fallout.

It's at the point where almost nothing surprises me anymore about how tenaciously some managers cling to Microsoft.

I was at a company that bought some fairly esoteric, hard-to-find parts from another company through a web-interfaced front-end app that accessed the other company's inventory system. About a year-and-a-half ago, they migrated to IIS from Apache for the front-end. They'd previously been an all-UNIX shop but had trouble when the front-end went Windows NT and the inventory app stayed UNIX. So, with the help of many consultants and at least two clueful in-house geeks they went all-NT.

Problems out the wazoo, but my company tended to be faithful to suppliers so we put up with bungled orders, downtime and other problems that would cause us not to buy from a supplier if they were new to us. Finally an IIS update was applied at the supplier's site that broke the web ordering for anything but Internet Explorer.

Our company used and supported Netscape only, so we tried to persuade them to make their site work with Netscape. I'll give them credit; they really tried. (Then again, our orders were over 60% of their revenue stream.) Our CEO lunched with their CEO and told him exactly what was at stake: it was costing us too much to do everything by phone and they had to get something running that was usable or we'd have to go elsewhere.

Keep in mind the old UNIX-based system was still around and running parallel and could've benn brought back online. Their IT manager was so committed to keeping NT that he wouldn't switch back.

We stuck with them for another few months despite the additional costs associated with doing business by phone only. They went out of business several months after we regretfully took our trade elsewhere. I know some of the other IT guys at other companies that used the supplier and the word was that their move to NT from UNIX eventually cost them more than 80% of their revenue due to the higher-volume customers leaving.

This was no startup company; they'd been around since at least 1989. Was their move to NT the major factor in their death or just a sign of other bad decisions that were going on behind the scenes? I suspect the former. Why did they cling to Microsoft as they lost more and more revenue because of that decision? Their IT manager had dropped beaucoup bucks on MS products in an attempt to save the company money and didn't want to lose his job for that catastrophically bad decision.

So, will there be fallout? Probably not enough to make Microsoft mend its ways, if not its programs.

best foot forward

[deran9ed]

Why the hell is it that every one of the linux zealots that read and post to slashdot BITCH AND MOAN about Microsoft products,

First off its not ALL of the Linux zealots and in fact I've noticed the majority who get caught up in that (OS name calling) mix, tend to be newer users of Linux who could barely chop up source on their own often jumping on irc channels or mailing lists with the shittiest questions.

claiming that they're the most worthless piece of shit software company on the planet? Anyone who has to reinstall a Windows OS every god damn month is just a fucking moron. Anyone who can't keep a Windows machine up for more than a day is also a damn moron.

Actually I don't think its the most worthless piece of shit OS on the market by any means, in fact I think MS has strategically placed itself on the markets for reasons like Ease of Use, familiarity, since OS's like Linux, NSD, etc., are almost impossible for Mary Joe Homemaker, and Sally Secretary to handle, however its bullshit to think anyone can keep a Windows machine up all day is a moron. E.g. there's been plenty of times I've seen Windows go bonkers for no reason especially Windows2000k with all the patches to date for the machine.

Last year when I was tinkering with codes on a DoS paper I wrote [antioffline.com], I slightly modified my code to connect to a non open TCP port on my Windows laptop and it still crashed it for no reason. (FYI code is here [antioffline.com]) The OS did a great job of crashing from time to time when it wasn't online, no one touched it, just pooped out on its own.

Sure, you have to reboot to patch and install software, but who the hell cares?

I would care if I oversaw a network of 1,000 boxes which needed patch upgrades every week, only to be restarted. Think about it for a quick second as I outlined in the funny Microsoft Kills [antioffline.com] paper, 1,000 servers multiplied by about 3 minutes downtime, then you've got lost time spent and I don't think any administrator be it Microsoft or any other company is going to be kind enough to say "Hey don't worry I'll patch these on my own time, no need to pay me." Fuck no that shit costs money after a while.

Come on, get a damn clue and jump off that damn bandwagon.

I find it funny seeing OS wars go on when in reality 95% or more depend on Windows in some shape form or fashion, last time I checked accounting was looking for Excel files, secretaries were saving *.doc files... Sure Linux advocates have the right to moan its their choice, just sit back and get a kick out of it, I do.

Re:If Netscape would just get off their ass

[Rogerborg]

the next month or so while this would still be a big deal

That may be wishful thinking. Most corporate IT departments are already in the "all your soul are belong to Microsoft" category, and this is just another in a long, long list of screwups that they've already shown that they'll tolerate. My own employer doesn't bother putting out advisories or upgrading desktops any more. And how many personal users will even find out about this, much less care? If it doesn't hit the mainstream media, it's purely a geek issue.

If Netscape would just get off their ass

[MxTxL]

This is a wonderful opportunity for Netscape to release something that doesn't suck. And by being the least sucky browser, recapture some of the market.

Of course, I don't honestly think they HAVE the resources or ability to make their browser suck less than IE, especially within just the next month or so while this would still be a big deal. But it would be neat.

Not on windowsupdate

[AaaL]

Why, oh why, does this patch NOT show up on http://windowsupdate.microsoft.com? Good thing I read Slashdot--otherwise I never would have known about this patch (which, incidentally, installed correctly for me). Windowsupdate had a critical update over the weekend but that was for MS01-017 (the Verisign certificate problem) but NOT MS01-020. !@#$!@#$