4 New "Extremely Critical" IE Vulnerabilities 1081
TopherTG writes "Buckle your seat belts folks. On what is looking to be the next Black Tuesday, with rumors of 9 new Windows security patches being released, Secunia is reporting on 4 new vulnerabilities in IE that allow for arbitrary code execution and placing content over other windows. Combined with the new Windows patches, it is likely more Download.Ject and Sasser like viruses will be emerging in the coming months."
At what point... (Score:4, Funny)
Re:At what point... (Score:5, Funny)
Re:At what point... (Score:4, Informative)
Re:At what point... (Score:5, Informative)
Re:At what point... (Score:5, Interesting)
Netscape 4.x and older wasn't modular enough to embed in their client.
The Mac OS X version does use the Gecko rendering engine (which ain't 'Netscape' it's just the rendering engine) and Compuserve also uses Gecko.
But AOL has been IE based since they moved away from thier own browser.
Re:At what point... (Score:5, Funny)
Re:At what point... (Score:5, Funny)
That and they are so easy to install.
Re:At what point... (Score:5, Funny)
Re:At what point... (Score:5, Funny)
Be Fair! (Score:5, Insightful)
IE works, it does some things well. Anyone who remembers many of my posts over the years knows I'm no fan of Microsoft, but their browser does work. Effectively it's not the browser that's broken, but their implementation and bundling. Where Mozilla or Opera are stand alone applications, IE has links directly into the OS which make the vulnerabilities. If Microsoft had simply played by the same rules everyone else had to, there would have been far fewer problems for them and far fewer embarassments for them.
When competitors and gadflies all pissed and moaned about Microsoft playing unfairly with this bundling strategy, which most of their non-directly-Operating-System software is built following, it wasn't the DoJ or courts that should have been listening, but Microsoft themselves.
Perhaps there should be a Darwin Awards for software, awarded to those companies which continually hoist themselves by their own petard.
Re:Be Fair! (Score:5, Insightful)
But I maintain that is very old by this point, and is not wearing its age very well. Security problems such as these indicate to me that Microsoft should really just sit down with their code at some point soon and fix what's wrong. IE at the core does have the potential to be a good browser, in that I agree with you, but in its present state, I just think that it's nowhere even close to being good, let alone the best.
Re:Be Fair! (Score:5, Insightful)
The rendering engine is slow (compared to Opera, so I'm a bit spoiled), the user interface is missing things that competitors have had for a while (mouse gestures? popup blocking? selective image/cookie blocking? tabbed browsing?), and it's got the aforementioned security issues.
IE stores each individual cookie and each individual cache object in its own file. I have seen computers (P2/350 on win98 with ~10K cache objects) get slowed to a crawl by this. Might be a good idea on reiserfs, but fat32 (and probably ntfs) choke and die on this.
Sure, there are websites that only work in IE. That's partly because people design them to be bug-compatible with it, and partly because any website that doesn't work in IE won't get published.
Re:Be Fair! (Score:5, Interesting)
Style property "position:fixed;"
I want you to make a div that stays put on the page where you put it, and doesn't jump up and down on a page like a jumping bean when you scroll. It's easy enough in Opera/Mozilla, where the fixed position is supported. But IE doesn't recognize that attribute, so it sets the position to static. How then are you going to do it?
This problem took me almost 2 days of work to get working in IE. I had to create a toolbar for the top of a page that would scroll. I eventually found a few CSS hacks to do it, and it works great, although it does crash IE if combined with some other scripts, so it's not perfect.
My point is that while you have demonstrated one specific case where IE makes development a little easier, I think on the whole, the W3C methods just make life much easier than some de facto standard that Microsoft thought up on the spur of the moment. I code to standards because I prefer to write code that isn't bound to one specific version of one particular browser.
And if you check the specs of borders according to the W3C recommendation, you will find that Mozilla is behaving appropriately in the case of the table border. IE is in error. (However, the problem might go away in IE if you use aren't in quirks mode. (ie. use a correct doctype))
Once again, I regret posting in this discussion, as I would have loved to mod you down for being blatantly wrong.
Re:Be Fair! (Score:5, Insightful)
As an old programmer, I recognize this as the great hazard of integrating applications into an operating system. Changes to the app require changes to the OS. Change the OS and you should test the app still works. It does get very long of tooth and requiring too much bubble gum and bailing wire to keep going as the becomes ever more fragile. This is why Microsoft, of all people, should have been wary of this practice.
I've been one not to bypass APIs and try tweaking operating systems, file structures, etc. manually as there's always the possibility the feature may cease to work or produce unexpected and disasterous effects. When Microsoft changes the OS the API should still work and largely does for those apps built upon it. All this messing about with the OS, though, when there are dependencies upon dependecies directly connected to the OS is bound to falter.
What Microsoft should do, but probably won't until it becomes excedingly painful (isn't it already? with the Dept of HL Sec. issuing an advisory against using it?) is start over and obey the developer rules they insist everyone else does, but they ignore.
Slighly OT, but underscoring the point I think: Years ago I anticipated with baited breath the arrival of Ultima V for the Amiga. I had an A2000 all decked out with HD, memory, all the toys. Comes the software and I find it behaves really oddly with the keyboard. A few inquiries reveals Origin Systems outsourced the coding to some house in the UK who ignored the APIs and coded to access the keyboard directly. Unfortunately their development platform was the A500, which handled the keyboard differently, thus all other versions had great problems. If they hadn't tried to be so damn clever it would have been a big success as a product and everyone would have been happy. As it was people like me saw red and wanted blood. The platform and software may change, but people still respond the same to betrayal. In this case it's Microsoft who has betrayed the customerbase as well as themselves on a very poor path of development decision making, attempting to outdo their competition.
Re:At what point... (Score:4, Funny)
Built one of these, have you? (Score:5, Insightful)
Built one of these, have you? Do tell, do tell.
Re:Built one of these, have you? (Score:5, Insightful)
Re:Built one of these, have you? (Score:5, Insightful)
features? like tabbed browsing? popup blocking, integrated search? do we see that in IE? the only features MS have added to IE in the last 5 years have been 'smart tags' and a bunch of 'enhancements' to the w3c dom, the scripting language, the html tags and so forth which, although they have earned me good money for my sins as a javascripter, just shit people off.
so with security taking *such* a backseat, can we ever expect IE to be secure? all i want is proper CSS and javascript support and i don't want to have to run a testing centre with 160 combinations of browsers and platforms (we had something approaching this at a place i used to work)
Re:Built one of these, have you? (Score:5, Informative)
IE is NOT a web browser (Score:5, Insightful)
Now, taking the software that is responsible for interfacing with the OS and making it your default tool for interacting with the outside world was just plain stupid -- a marketing/legal department move to skirt the ruling that they couldn't bundle IE with Windows. Once done, however, almost any problem with IE becomes a root exploit. Surfing with IE makes this problem go from some risk to extreme risk. The only way to avoid this kind of escalation is to separate web broswer from OS interface: something MS doesn't want to do since then they are back to the bundling problem.
Re:IE is NOT a web browser (Score:5, Insightful)
Exploit yes, root exploit, no, not unless the user is running as an Administrator. IE still runs at the privileges of the logged on user.
Re:IE is NOT a web browser (Score:5, Insightful)
Re:IE is NOT a web browser (Score:5, Insightful)
Praise Mozilla (Firefox) for having a single-directory non-administrator install. Intuit (Quicktax) can go to hell...
I'll stop ranting now. Micrsoft didn't help this with their lax security model in 95/98, but 3rd party software isn't helping the situation.
The Palm hotsync solution (Score:5, Informative)
The solution for Palm hotsync:
Give the user Administrative-level access.
Install the Palm software.
Explicitly grant the user access to the installed Palm files in Program Files (rather than doing it via Group access).
Remove the user from the Administrators group.
Voila. Palm hotsync works without Admin rights. The temporary Administrator rights are needed so that the installer can create certain user-specific registry keys. Another way to do it is to install it under an Administrator's account and then export/import the reg keys, but my boyfriend reports that temporarily setting up the user with Admin rights is overall easier.
Re:IE is NOT a web browser (Score:5, Insightful)
Good one. You can't even run some MS developer software without root (hmm, Administrator) privileges! (eg. eVC++ 4.0). And let's not even start about non-MS software (eg, games). Using a MS box without administrative priv. is like having a car with no engine - nothing works!
Hell, when Administrative priv. are required, what does Windows software do? It pops up, "You have to be running as an Administrator to ...". It doesn't even ask you for Admin. password to complete its function. You just have to relogin. And thanks to the great "multi user capabilities", you have to log out of your current session first.
Running the OS as a non-Admin is like trying to run with pains-ticks up your ass. And then running as an Admin seems not much better (see story)!!
PS. I think MS's "Run As..." needs an extra 's'. At least 'su' works!!
you need a history lesson (Score:5, Insightful)
UNIX has had a clean and simple separation between administrator and user privileges since the 1970's, and Linux uses the same mechanisms. UNIX and Linux have faced the most formidable opponent trying to break down that barrier over decades: the college student, who can spend hours a day trying to break into university systems. And they did. And UNIX developers fixed the bugs and adapted the security models.
The people who need a history lesson are Microsoft developers. They just started hacking some time in the 1980's, giving a damn about security or any of the other hard stuff. That kind of ignorance got hardcoded into Windows APIs, libraries, documentation, coding styles, frameworks, and instructional materials. That's why most third party developers for Windows put files all over the place and don't pay any attention to security either.
It's not surprising Microsoft and Microsoft developers managed to grind out popular GUI apps quickly--they cut corners on all the hard stuff and didn't even know it. The UNIX nerds at the same time were saying "this isn't the right way of doing it": they were looking 10-20 years down the road with the experience they already had, but because they were thinking long-term, Microsoft beat them on time to market and price. That's why Windows, and not UNIX, rules the desktop today. But ignorance and backwards-compatibility issues are catching up with Microsoft, and it seems quite likely to me that their fall is going to be just as spectacular as their rise.
Re:IE is NOT a web browser (Score:5, Insightful)
That's not exactly true. IE is the web browser, and Explorer is the interface between the user and the windows OS. Windows is very modular in this respect, IE has an executable named "iexplore.exe," and windows explorer is "explorer.exe." "iexplore.exe" is located in the Program Files directory, "explorer.exe" is located in C:\Winnt or C:\Windows.
The two share a vast number of the same controls, and that is why you would think that IE is the same as Windows Explorer. Explorer sort of turns into IE if you try surfing to another site. The process keeps the same name, which leads me to think that IE is luanched as a thread or something. The About box changes, though, to reflect that it is IE that you are using, not Explorer.
The number of exploits that hit windows are caused by this amount of integration, and the sloppy programming that it was built with. It's the activeX component, or the COM control that has the flaw, and the processes just wrap that chunk of code. I imagine that if a flaw was found in KHTML, for instance, it would affect the Konqueror browser as well as Safari (isn't that the one that's KHTML based?). Thankfully, the source is out in the open with KDE, so exploits are typically taken care of with efficiency. Unless it's declared as a bug in Mozilla's bug-traq, and the devs don't want to do anything about it. But that couldn't possibly happen...
Re:IE is NOT a web browser (Score:4, Insightful)
Re:At what point... (Score:4, Funny)
"Trusted Computing" (Score:5, Interesting)
An additional issue allowing malicious sites to inject script into the Local Security Zone using anchor references has also been reported to affect Internet Explorer 6 running on Windows XP SP2 (release candidate / beta). This issue could not be confirmed on a fully patched Windows XP SP1 system.
So SP2, which is supposed to make Windows super-safe (even at the expense of backwards-compatibility in some case) may have actually introduced an IE bug.
Re:"Trusted Computing" (Score:5, Funny)
surprise (Score:5, Funny)
The /. Pool (Score:5, Funny)
Your prize today is 9 shiny new windows patches! And a new car!
Re:The /. Pool (Score:5, Funny)
Your prize today is 9 shiny new windows patches! And a new car!
<game show music>
But that's not all, Funkdid! Bob Barker is also going to come to your house and personally neuter your dog! Actual retail price of Bob neutering your dog, $129.99!
</game show music>
Re:The /. Pool (Score:5, Funny)
If only it was announced tomorrow, I would have won both showcases!!!!!!
Breaking News (Score:5, Funny)
Re:Breaking News (Score:5, Insightful)
Oh, for god's sake! (Score:5, Funny)
Why don't... (Score:5, Insightful)
simple answer (Score:5, Insightful)
Re:simple answer (Score:5, Insightful)
Because you lose business continuity (all those programmers have to stop doing what they were doing to rewrite the apps, then pick up again later on to waht they were doing, and hopefully haven't forgotten it all), as well as lost opportunities (all that new functionality they could have written instead of unIEfiying their webapps) and all the money the business units lose because they lost the use of the tools that were not developed.
Also, you have to assume that the programmers _can_ rewrite enterprise quality apps in non-browser specific code. That's a stretch as well.
Pulling a number out of my hat, I would say that less than 50,000 programmers in the US can write xhtml+ccs2 compliant code (not that they do--a lot less do, but at least they can.)
As far as companies being burned: suckers. They believed the FUD, bought it hook, line, and sinker, and now, they are royally funked. Oh well. I'll take that paycheck thank you very much.
Sucks to be them (Score:5, Insightful)
There is nothing revolutionary, even using ActiveX, that can be done in IE that cannot be done by other means with non-IE browsers.
The only significant benefit to doing IE-only development is the streamlined development tools.
This reminds me of a story I heard as a kid... The Three Little Pigs. Sure you can build a straw house quickly, but is it a long-term solution?
Re:Why don't... (Score:5, Interesting)
IE is lacking in functionality compared to Mozilla, and the MS development cycle is inadequate to respond to this type of problem, IMO--but the only way to stop the malware is to stop the malware authors. Bounties work, but to really stop them, we would have to sacrifice a lot of privacy which the internet still (sort of) affords.
Re:Why don't... (Score:4, Insightful)
Indeed. Still, though no software is perfect, I still think we'd be a lot safer on Firefox or any browser that doesn't so heavily tie itself to ActiveX and the Windows core.
>
Well, yeah, but let's not go the way of Homeland Security for the sake of tracking down script kiddies. One important step would be to require all code coming in from the Internet be signed. Now, you would have to know who published the code before we would install it. Also, any system that allows stuff to be installed in the background with no warning is dangerous. Windows could do like Mac OS X and require the user to enter their password before any system-level actions could be attempted. Also, they could use the Java sandbox idea where untrusted code is locked down.
The problem is not that dangerous code
Mainstream Media (Score:5, Interesting)
How long is it going to be before some big mainstream press picks these recursive stories up and starts recommending people try another web browser?
And is there anything we can do to get this in the press?
Re:Mainstream Media (Score:5, Interesting)
Unfortunately we live in the real world. If Micorsoft kept getting large amounts of bad press every time it announced a new exploit it would try even harder to hide the flaws instead of releasing a fix.
Re:Mainstream Media (Score:5, Insightful)
How come you guys are just sitting on your hands hoping the media picks it up instead of pooling your money together and getting a commercial on TV?
Re:Mainstream Media (Score:5, Insightful)
1) Write one or more versions of a news story (many, many stories in the media are dropped in essentially as they were delivered to the media). Hopefully this includes a "human interest angle", like Grandma Sally being redirected goatse.cx or giving up her CC number to ch.ase.com. Use only a minimal of substantive or technical details to avoid people who don't want to think through them. Yes, this is doing reporters' work for them, but that's how you get stuff in circulation when you're outside the loop.
2) Call (email might work, but probably not as well) the editors of Style/Living/Consumer Affairs pages of newspapers and TV stations and pitch em the story. Again, this is reporter work, but it gets the story in the news.
3) Lather, rinse, repeat. Fan the flames by providing more juicy details with human interest angles - disgruntled MS employee, evidence that problem is far wider than acknowledge "they don't want to you to know this...", speculations about apocalyptic collapses of the economy. Involve porn to feed the public's prurient side. Modify the story a bit for consumption by other stations/papers/etc as it evolves.
This is how most political scandals evolve - someone plants the story and fans the flames for a week or two in the public gets tired of it. To do real damage, you sync the stories with lulls in other news and cycles of public mood.
Obligatory FireFox Boosterism (Score:5, Insightful)
http://slate.msn.com/id/2103152
Re:Obligatory FireFox Boosterism (Score:4, Informative)
Re:Obligatory FireFox Boosterism (Score:5, Informative)
He starts off by saying the cache folder is known - actually the folder name has random characters (last 3 in Firefox, first 8 in Mozilla), so that's not true - you have at best a 1 in 17000 of guessing it.
Then he talks about the user opening file:// URLs - what would cause the user to do that? If you have to tell the user "please type this URL into your address bar", that's not much of an exploit. Links to file:// URLs from http:// URLs don't work.
And as someone else pointed out, the script running in a page from a file:// URL has pretty much the same permissions as a script running in a remote page anyway - there is no "local zone" concept in Mozilla/Firefox.
Certainly sounds like there may be a bug or two described there, but I don't see an exploit.
Re:Obligatory FireFox Boosterism (Score:5, Interesting)
IE Developers (Score:5, Interesting)
This is not something you want to wake up to as a developer, whether it's proprietary or open source. It's just that they can't make decisions based on solving the problem alone, they have so much red tape to go through to make changes, that even though they might want to solve this problem, someone on the top is making it difficult.
Re:IE Developers (Score:5, Insightful)
No, they are idiots. Remember that simple BMP image buffer over-flow found when the leak of the Windows Source code ? [netsys.com]
That has nothing to do with upper-management decisions. More like Microsoft's human resources problem of hiring people from good colleges who lack real programming experience.
Sunny Dubey
Re:IE Developers (Score:4, Insightful)
Re:IE Developers (Score:5, Funny)
Didn't get the MS summer job either, huh?
Internal MS Memo (Score:5, Funny)
IE has a vew unsolved vulnerabilities to say the least. Download the latest version of Firefox or Mozilla from http://www.mozilla.org/.
Thanks,
Bill G
Excuse me while I cry... (Score:5, Interesting)
Ok I'm through crying now Microsoft hear my pleas....
Re:Excuse me while I cry... (Score:5, Insightful)
No Surprise (Score:4, Interesting)
1.IE to not be a part of the actual operating system (not going to happen, they've already committed)
and
2.Web Developers to write code that is compatible with all browsers (i.e.: not written just for IE, such that if another browser is noticed, service rendered unusable).
when this happens, i will be pleased.... until then, i guess we're going to be fighting off more exploits than one can shake a stick at.
Re:No Surprise (Score:5, Interesting)
If you ask me, that's something people should be working towards.
Security as a selling point (Score:5, Interesting)
Yes, Microsoft gets attacked because they're the biggest target. No, I don't buy the argument that all OSes are inherently just as secure or insecure as other OSes. Just compare Windows 98 to Windows XP, or OpenBSD to Windows ME. All OSes are not the same, and marketshare is not the only factor.
Is it just me? (Score:5, Funny)
Will the masses heed the warnings? (Score:5, Insightful)
Just imagine if cars were sold with this many problems. Or home security systems...
Maud'dib would be proud (Score:5, Funny)
Just set a box of Windows XP out in the field, and the worms keep rolling in. They stopped for a moment and we were afraid we would have to go back to the old method of using shovels and a bucket. But, like magic, they kept coming and coming.
All hail the Quizatz Hadderach!
Got Sploit? (Score:5, Funny)
Remember when 2000 was supposed to be the most secure ever? Then XP? Now it's Longhorn. I didn't believe them then and I don't believe them now.
I feel sorry for the poor Windows poopies. Paying big bucks to get porked like a cheap prom date. And not so much a kiss from Billy boy.
My company has one clients who refuses... (Score:5, Interesting)
In Other News... (Score:5, Funny)
IE bugs and phishing (Score:4, Informative)
The fourth vulnerability (createPopup) has already been exploited in phishing scams for some time now [jenseng.com]. Initial [securepoint.com] reports [webhostingtalk.com] of the exploit only started coming in a couple months ago, even the vulnerability has existed since IE 5.5.
Scammers use it to mask the address bar and/or other browser widgets (such as the secure icon). This exploit is particularly dangerous because it can be used to mask/disguise any part of the user's screen, including other windows or even the start menu.
I submitted it to slashdot over a month ago, but it was never greenlighted. I guess these IE vulnerabilities are so commonplace it takes several at once to make the main page...
Sasser Like Virus for IE? (Score:4, Insightful)
Well Now (Score:5, Funny)
It's hard to stop laughing ... (Score:5, Insightful)
Posted by simoniker on Monday July 12, @05:02PM
MSN, Word Vulnerable To Shell: URI Exploit
Posted by timothy on Monday July 12, @07:42PM
4 New "Extremely Critical" IE Vulnerabilities
Posted by CmdrTaco on Tuesday July 13, @11:45AM
Microsoft Expects 1 Billion Windows Users by 2010
Posted by CmdrTaco on Tuesday July 13, @08:14AM
Is MS trying to be funny or something? Honestly, I really think you have to try to mess-up this badly this many times in such a short period of time... I can't believe a mainstream revolution leaving MS products isn't occuring...
When are the masses going to learn?
Re:It's hard to stop laughing ... (Score:4, Insightful)
When there is a VIABLE desktop alternative to Windows?
Even MS Fans Are Switching (Score:5, Interesting)
But not when it comes to IE. It is fairly clear to me, and anybody else whose mind is not clouded with zealotry, that IE is the single best attack vector into the average personal computer. Nearly all PC users use IE for a significant portion of the day, and nearly all of those users have no idea that visiting a web site could be dangerous.
I stopped using IE about 6 months ago when a web page managed to install spyware on my machine. I was fully patched, but it happened anyway. If it weren't for McAfee Antivirus, I never would have known. I've been using FireFox ever since.
Up until FireFox
So, there you have it. A diehard Microsoft fan dumping IE like a bad habit.
The real problem? (Score:5, Insightful)
email to family members (Score:5, Interesting)
This will be the last email that you will receive from me about security holes in Internet Explorer. Microsoft is not able to release patches quickly enough to secure Internet Explorer. The U.S. Department of Homeland Security now recommends that if users are unable to patch the security holes in Internet Explorer that they use another browser. Please switch to the latest version of Mozilla web browser. You can find this web browser at http://www.mozilla.org/
http://secunia.com/advisories/12048/
Andrew
Perfect Exploit (Score:5, Interesting)
Anyone know of one? The terms are too generic for a quick google.
S
"Trusted Sites"... (Score:5, Interesting)
So I hate to have to do this. Really. (Score:5, Informative)
There are a lot of environments, however, where switching from IE just isn't an immediate option. In the future, perhaps, but worm writers and virus scripters won't wait. So here's my advice, my hope, and my PLEA to all you I.T. guys out there.
No matter how much you hate IE, please, for the love of God, get your users to UPDATE THEIR SYSTEMS WITH THE PATCHES. Even if they don't use IE.
We can all save ourselves and each other a hell of a lot of hassle by taking Microsoft's efforts to patch their product as what it is: an effort (however feebly-, politically-, or economically minded) to secure their product. The viruses and worms generally aren't harmful to the user--it's all the network traffic that infected machines produce that is the major headache. Spam, pingfloods, DDoS, it all targets other services and the infrastructure on which we all depend. Be neighborly on the Internet, and make sure you've got your systems are secure as they can be, even if they're not the systems you'd prefer to run.
Switch browsers, yes. If it makes sense for you and you can do it, go for it. But don't let everyone on your site get infected in the meantime. Remember that the the majority of viruses and attack exploits out there in the past months have been proactively counteracted by Microsoft patches.
Infections are caused by morons who don't patch. DON'T LET YOUR USERS BE MORONS (to the extent that this is possible).
Thanks,
The Internet
So I've been contending (Score:4, Interesting)
Then last week the shell: bug in Mozilla was reported, and I was humbled. Perhaps, I thought, perhaps Mozilla wasn't really all *that* much better than MSIE, and I was being silly by my stance that MSIE was an unsafe product and Moz was a safe product. Maybe, I thought, trusting any software vendor is just as silly as trusting Microsoft.
Then I see this news today and I don't feel so humble anymore.
One thing I found odd, though. I haven't done a close study or anything, but when the mozilla vulnerability was found last week, it was very widely reported. I saw it at least twice on news.google.com and I believe on cnn.com. But with these new IE vulnerabilities? Well, maybe it's just too soon, but cnn.com has nothing on this-- it does have a story "renewed calls for alternate browsers" which mentions in the second paragraph two IE bugs that MS fixed already-- and news.google.com has nothing. And n.g.c's top tech story?
Microsoft CEO Touts Security Push at Conference
Reuters - 55 minutes ago
SEATTLE (Reuters) - Microsoft Corp. MSFT.O is taking a big step toward boosting the security of its flagship Windows product in August with the release of a major software update, Chief Executive Steve Ballmer said on Tuesday.
Give IE some credit... (Score:5, Interesting)
Re:Black Tuesday? wth? (Score:5, Informative)
http://mutualfunds.about.com/cs/1929marketcrash/a
"Black Tuesday is notorious for being the worst day in the U.S. stock market"...
You didn't even try, did you?
Re:Black Tuesday? wth? (Score:5, Informative)
Re:Black Tuesday? wth? (Score:5, Funny)
Re:Black Tuesday? wth? (Score:5, Funny)
Re:Black Tuesday? wth? (Score:4, Funny)
Re:Black Tuesday? wth? (Score:5, Insightful)
Now imagine Microsoft adopting a policy of releasing patches on a known day of the month. Imagine coming up with a corporate plan to handle those patches on a predetermined schedule.
You decide which is better.
Re:Black Tuesday? wth? (Score:5, Funny)
Re:Black Tuesday? wth? (Score:5, Funny)
"back in the day"
God I feel old...
Re:Solution: (Score:5, Insightful)
Re:Solution: (Score:5, Funny)
Boy, MS' spin control just gets more clever by the day...
Re:Solution: (Score:5, Informative)
This effectively emulates the domain-specific Javascript settings in other browsers.
Re:IE SP2 RC2 is not vulnerable (Score:5, Informative)
Internet Explorer in Windows XP SP2 Releae candidate is not vulnerable to any of these exploits.
*ahem*
An additional issue allowing malicious sites to inject script into the Local Security Zone using anchor references has also been reported to affect Internet Explorer 6 running on Windows XP SP2 (release candidate / beta).
W3schools isn't indicative of the entire web (Score:5, Informative)
If you want a better general representation of the web, Google's Zeitgeist web browsers graph [google.com] (from May) is a better place to look. If you zoom in, you do see that the Mozilla based browsers are slowly gaining.
Re:IE is deprecated (Score:4, Insightful)
I've had the worst time being the only Linux guy in the office, and my cries have not completely fallen on deaf ears, as 2 of my co-workers have installed Firefox recently. But when i can talk to someone for less than 5 minutes about the pros and cons of Mozilla and open source browsing vs. IE, most of them nearly start sobbing with all their troubles.
People daily complain to me about the bot problems or spyware issues that they have. I was sympathetic and helpful for a time. But now I wanly smile and say "mozilla.org/firefox" and walk away. Those super-cool guys with browser problems can kiss my ass until they start listening to me, and the rest of the world.
Re:Running as Admin (Score:5, Insightful)
If Windows wasn't such a pain in the ass to run as a non-admin user, then this wouldn't be such a fundamental problem.
Re:Alternative Browser Security Question... (Score:5, Informative)
Re:Alternative Browser Security Question... (Score:4, Insightful)
Any complicated piece of software is bound to have some flaws, but the "dur.... let's have our web browser be able to run a 'format c:' from HTML tags! That's a great feature!" attitude at MS isn't helping their security woes. Apple and the Mozilla Foundation, on the other hand, seem to be taking security seriously, which probably means that, even had they the 95% market share, it's likely they would still have fewer viruses and security exploits.
So you're comparing Mozilla users' claims to better security to Apple users' claims is perhaps appropriate. However, implying that either of these claims are false is jumping the gun a bit.
Re:Alternative Browser Security Question... (Score:4, Interesting)
First off, as soon as an exploit is found, anyone can fix it. You don't have to wait for your manager to assign the task of developing a fix to you, develop it, send it to testing for a month of evaluation, then work with marketing to schedule it's release. In most cases a fix will be out the next day.
There's also the fact that increased market share for competing browsers reduces the incentive for creating viruses, trojans, etc. Say I'm a spammer, crime lord, activist, script kiddie, what have you. If I can develop a program that will allow me to infect 95% of the worlds PCs well, that's pretty cool. But if Moz/Firefox has 23% market share, Opera pulls another 14%, Safari/Konqueror back that up with 17%, and others grab 6%, That 95% of PCs I could infect developing an IE exploit drops to 40%. The incentive is nowhere near as great. Security through obscurity is a beautiful thing.
Re:Interesting... (Score:4, Funny)