New IE Holes Discovered 801
joelt49 writes "Yahoo! News is reporting that 7 new security holes for Internet Explorer have been discovered by a Chinese researcher; however, there apparantly aren't any attacks on IE yet." The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list. Sure, a lot of people don't like Microsoft, but that's no reason to make it worse for the millions of people who are forced to use Microsoft products, especially for security holes which have yet to be exploited.
Topic was briefly discussed at NTBugTraq (Score:5, Informative)
I think MS has the responsibility to address their customers concerns immediatelly (naive, I know), especially IE's overly close integration with the OS which causes most of these exploits.
As usual they dont all work (Score:1, Informative)
half the exploits don't work (latest WinXP), the remote exploits doesn't , and the rest require physical local access which sort of negates security on a windows box
this isnt news
at least not to those who are on the lists who see this "hackers" postings on a regular basis
Addendum (Score:4, Informative)
Disable Active Scripting and find an alternative to IE ("use another product"). Not very realistic unfortunately, when companies have invested so much in integrating (and accepting) some of the flawed functionality in IE.
I do find that people are starting to be a lot more receptive towards MS-alternatives, especially when the mass media is now jumping on the bandwagon as well. Now techies find themselves explaining their choice of MS over and over again, to hype-induced managers.
Re:Forced? (Score:3, Informative)
1) There are virtually no "integration" issues between Mac OS X and Windows. OS X supportes Samba out of the box.
2) I thought most companies frowned upon games on company computers , on company time ?
actually, this is old (Score:5, Informative)
Microsoft is being forced to eat their dogfood... (Score:4, Informative)
Microsoft has claimed time and again that their response times to security alerts are sterling, as opposed to the "slow" response times for OSS. They make these claims without telling consumers that they have known about the exploit for months and are publicly releasing knowledge right before they release the fix.
This is a case of people letting Microsoft's boastful ways catch up to it. If they are as fast as they have claimed, time and again, there won't be a problem for those people who are diligent in patching.
Additionally with the advent of companies using the DMCA to try and stifle this behavior, it is more important than ever to engage in it and further show the flaws with this absolutely off the wall piece of legislation. See this [slashdot.org] article.
Re:Incident response times (Score:5, Informative)
Feel free to Google.
yes, forced, ESCAPE NOW. (Score:3, Informative)
Not true, Microsoft makes it very difficult to use anything but Microsoft junk. The first level of anoyance is a barage of scary warning messages about "signed code". Then there are constant anoyance messages which require confirmation and include the option you don't want. In time, you will push the wrong button. Finally, Microsoft breaks other programs on their platform. My little brother uses XP and keeps it "up to date" by accepting whatever M$ pushes at him. It broke Mozilla. I consider that a force.
The only way to avoid all of that harassment and the insecurity that it creates is to leave M$ completely. If you still think it takes a lot of effort, you need to play with Knoppix. The only trouble you might have is with winmodems and other nastier hardware which does not work well under windblows either. It's easier for indiviuals to install and way easy for technicians. It's good for individual users and far superior for business.
There's probably someone near you who will do an install for less than the Windblows install going rate. Just google your town name with "free software", Linux and other likely terms. Hungry geeks, such as myself, will happily come to your house for $40 and set you up. Businesses will pay by the hour but save hundreds per machine and employee every year.
using Mozilla is not a cure all (Score:5, Informative)
So the fact that I'm using Mozilla on Win 98 right now, doe not mean I'm guarenteed immunity from these new holes.
No Exploit, eh? (Score:5, Informative)
Exploit code, anyone? A simple google search or a Bugtraq archive browse should do it.
Re:Incident response times (Score:5, Informative)
It's even worse when done by design [winntmag.com]. Once a scoundrel - always a scoundrel.
Perhaps the Microsoft spokesman is lying (Score:5, Informative)
What was released recently was sample exploit code.
If you are a Microsoft spokesman then, of course, you have to say that, "Hey, if we don't have a fix then it must mean we didn't know about it." So it's not even lying to say that you weren't told. It's the only logical thing.
The spokesman was not aware that Microsoft had released unmarked patches [ntbugtraq.com] for some of the problems.
it is a good thing not to warn microsoft (Score:1, Informative)
and dont cry if they're full of holes and you get hacked/cracked/whatever
you made a choice by keeping with them
you get what you deserve
Re:Incident response times (Score:3, Informative)
Way back when I was getting my degree, one of the lecturers had implemented this interpretive language called Codil (COntext Dependent Information Language) in Cobol. It was apparently really good at solving certain types of problems, but one of it's own problems was that the interpreter partially depended on some bugs in that one particular Cobol compiler. When Bugfixes were applied, the author needed a description of the fixes so he could track down the problems they were causing his interpreter.
Another problem will have been that the hardware he used was an ICL 1900 - a 24-bit machine with 6-bit bytes and whose successor (the ICL 2900, I think) was totally incompatable to it. ICL was taken over by Fujitsu some time in the 80's.
Google has quite a few pointers Codil but they all appear to be historical.
Microsoft doesn't either (Score:4, Informative)
Re:I've been trying my best to switch people away (Score:2, Informative)
For example, install Mozilla, and all your Favourites disappear. They're probably buried in the Bookmarks menu somewhere (sometimes they're not imported at all), but to the average user, they might as well be gone. Or, at best, it takes longer to get to them. There's no good reason for that. I want my bookmarks where I put them -- who is Mozilla to move them into a submenu? Same with the Links toolbar -- all the bookmarks the user is used to having one click away are now gone. This creates the perception that IE is easier to use, and encourages users to switch back to IE. Worse, when you modify the bookmarks in Mozilla, the changes don't show up in IE, the Start menu, or anywhere else that uses the Microsoft method of storing favourites. You end up with two unsynchronized sets of bookmarks.
These sorts of things may not matter to any of you, reading this, but put Mozilla down in front of your mother, and she'll say, "I want it back the way I'm used to."
It's the little, basic features, that matter most to the general population.
Re:Incident response times (Score:4, Informative)
If they are, then I can see why researchers aren't playing their silly game, especially if they discover several bugs. Further, Microsoft is giving up a small advantage they could have over open source. If they allowed non-public reporting of security bugs, then they could have that information before the crackers get it, while open source bugs are generally reported to open developer lists.
Re:it wouldn't change anything (Score:5, Informative)
Re:Incident response times (Score:1, Informative)
I guess you missed the bit where zlib (not gzip) code was in all manner of Microsoft products, such as DirectX? Microsoft uses just as much Open Source code as any Linux project.
Re:Incident response times (Score:3, Informative)
When the bug was found, some other packages had to patch the versions of zlib they contained, but the critical thing to note is that the ones that included zlib could just apply the patch to the older API version they contained, or to the trimmed version, or whatever they had. This meant that people could apply the patch without breaking half of their software, which depended on the particular API they were using.
Re:It's hardly bad... (Score:3, Informative)
That's ridiculous. No decent OS should allow itself to ever be crashed by any application software.
Re-read the parent's post. He's not talking about Microsoft having to do workarounds for bad apps to prevent Windows from crashing. The workarounds are to prevent the bad 3rd party app from crashing.
For example, many apps written for Win9x had tons of flaws with heap overflows, double-freeing pointers, dangling pointers, etc., but the developers "lucked out" and their apps didn't crash. However, when you tried to run the app on Win2k/XP it would fall over and die. In order to make XP compatible with older software they had to port the whole Win9x memory manager to XP and "shim" the memory functions in those apps so they'd work.
There's a lot more to it than that, MS expends an astounding amount of effort to ensure that old software will run. Check out the application compatibility database sometime.
(And even worse, Microsoft provides tools that you can run your app under to see if you have many of the types of flaws that create application compatibility problems (and random crashes), yet almost no developers use them.)