New Trojan Threatens Windows XP SP 2 241
lightdarkness writes "Symantec is reporting about a new virus called Phel (Anagram of 'help') which is a Trojan which spreads via a HTML file. All the user needs to do is go to the page, and it takes advantage of the vulnerability in the IE Help control component files. This allows the attacker to download malicious programs on to the machine. Worst part is, this is one of the exploits that even effects SP2. Microsoft is said to be working to stop the spread, and to release a patch." The exploit is apparently not the same as the help file problems disclosed last week.
Microsoft happy with IE? (Score:4, Insightful)
so what exactly processes HTML in windows again? Some third party plugin? No... IE? ahhh... what a shame... and here I thought that there was no need to do anything to IE as it is so perfect...
Re:Microsoft happy with IE? (Score:5, Insightful)
Oh... yeah... IE is great... no need to change it until longhorn...
In all fairness, that statement was about features. Not security.
They'll keep on patching this Swiss Cheese after-the-fact for a long time yes, and know it.
Re:Microsoft happy with IE? (Score:5, Funny)
Re:Microsoft happy with IE? (Score:5, Funny)
unless you dont read the date marked "best before" before eating it. ;-)
Microsoft should have the same thing for Windows...
In all honesty, when Windows is isolated (or on an isolated network) and locked down (ie users don't have any way to install new software, etc..).. its not too bad.. Unfortunately, everyone wants to plug it into that dang Internet.. hheh..
Re:Microsoft happy with IE? (Score:2, Funny)
That reminds me of what I do when I get a new box that has a "Designed for Windows..." sticker on it. I always take that little sticker off and put it on a trash can...
Re:Offtopic, I know. Damage Control. (Score:2)
But I agree with your comment about the parent poster. Interestingly, a number of people seem to think the way he does. There's one word I can think of (again, I'm just being technica
Re:Offtopic, I know. Damage Control. (Score:2)
Elder #2:
Conquistidore:
Elder #1:
Spaniard #1:
Spaniard #2:
Spaniard #3:
Conquistidore:
Elder #1:
Re:Microsoft happy with IE? (Score:2)
It seems that MS holding onto IE is simply to save face, there is no real value in IE any more, Mozilla is producing the better browser plain and simple and nobody in thier right mind can argue against that.
Microsoft should either get out of the browser market completely, or make IE7 based around Gecko, with a compatability API if they really want to support legacy cruft. I'd prefer the later, otherwise we'll end up like the IE on Mac situation where lots of peop
Re:Microsoft happy with IE? (Score:3, Insightful)
It seems that MS holding onto IE is simply to save face, there is no real value in IE any more,
Yes, there is. Customer lock in. Making moving onto non-MS platforms harder and more costly. And keeping MS as the dominant corporate desktop platform is their spearhead into the corporate server space as well.
Re:Microsoft happy with IE? (Score:2)
Re:Microsoft happy with IE? (Score:2)
I just don't see the sense in MS persisting with IE, I can't imagine how they can justify the expenditure when Gecko is sitting there, 10x better, and is going to cost them MUCH less than developing IE in the long run.
The same arguments could have been made about Netscape/Mozilla back in the 1998-2002
Re:Microsoft happy with IE? (Score:3, Insightful)
huh? that was "about features?" I don't think there has been any major new features added to IE since mid/late-90's. sure, it's up to date in the auto industry's development cycle.
Re:Microsoft happy with IE? (Score:2)
Yeah, well I think that was the point of everyone laughing about what Microsoft said in that article.
The guy you're responding to is pointing out that Microsoft never stated they wouldn't be releasing security updates for IE. Clearly they have been and will [need] to continue to.
Re:Microsoft happy with IE? (Score:2)
Re:Microsoft happy with IE? (Score:2)
I still don't think M$ understands why were screaming at them to update IE, we don't want features we want it to work properly.
Re:Microsoft happy with IE? (Score:2)
Microsoft are depressingly money driven, if they demonstrated a larger care for there customers instead of only the care for $'s they might not have the image of the big nasty evil company that they have.
Alternatively M$ is a corporate disease, MS is a chronic autoimmune disease.
Re:Microsoft happy with IE? (Score:2)
In all fairness, that statement was about features. Not security.
Security is a feature, especially when you think about it in today's terms. Microsoft has been pushing security enhancements as a feature since they started talking about XP SP2 many moons ago. Security enhancements have been the center piece of OS enhancements we've seen from MS lately.
If the rumor is true, MS is making a *huge* mistake by delaying IE enhancements unt
Re:Microsoft happy with IE? (Score:2)
Most don't. Most consider "does this browser work with my banking site" as a feature. If it doesn't, they pass up Firefox/Opera/Safari.
Re:Microsoft happy with IE? (Score:2)
Most don't. Most consider "does this browser work with my banking site" as a feature. If it doesn't, they pass up Firefox/Opera/Safari.
People don't consider that a "feature", it's a requirement. Features are things like bookmarks, history, tabbed browsing, and saved passwords. Features are things that are nice but not nessicary. To get the best product you look at all the ones that meet the requirements (the ones that work for your bank site) and then compa
Re:Microsoft happy with IE? (Score:5, Funny)
Re:Microsoft happy with IE? (Score:3, Insightful)
Which means that the only way to avoid IE and its holes is to not use Windows at all. Microsoft's decision to make IE an integrated part of Windows is bearing fruit...
Re:Microsoft happy with IE? (Score:2)
Oh... yeah... IE is great... no need to change it until longhorn...
I wont repeat Ghandi's famous adage because comparing the strugle for Indian freedom to that of free software isn't remotely the same as the battle between proprietary and free software..
However, there is a strong symmetry between the two. Microsoft all too often has ignored the competition and then nearly missed the boat only to use it's desktop dominance to muscle back in on the action.
The problem is that this time, they've al
Re:Microsoft happy with IE? (Score:2)
There is constant egg on their faces, some new young competition is eating up their market share at astonishing rates, and they are always in the bad part of the news.
Microsoft has a cult-like culture, and this type of constant bad news does NOT go over well in those types of cultures. I'd love to hear from someone on the IE team... I bet they're wishing that they were on the Office team or something like that
Re:Microsoft happy with IE? (Score:2)
Re:Microsoft happy with IE? (Score:2, Informative)
The purpose of using IE is that it enables Windows to have a single HTML renderer loaded up into memory for a wide variety of tasks. By switching over to HTML based help, Microsoft has consolidated various rendering engines into one (HTML, specifically IE), all while reducing the overall memory footprint used up by
Well.. (Score:2, Funny)
Re:Well.. (Score:2)
The attackers are downloading malicious programs? (Score:2, Funny)
Upload to...download from.
affect/effect! (Score:5, Funny)
Oh, it causes SP2? That's absolutely terrible - it must be stopped!
Re:affect/effect! (Score:2, Funny)
Re:affect/effect! (Score:5, Funny)
I explained it carefully to the bemused agent a couple of times and eventually got a half-hearted agreement that she'd pass on my comments to the marketing team - but I knew in my heart that she thought I was completely mad and that she was going to close the call as soon as I was off the phone.
I wonder how much market share... (Score:5, Interesting)
Re:I wonder how much market share... (Score:1, Interesting)
Re:I wonder how much market share... (Score:4, Informative)
Or a lite version. They're fighting an uphill battle -- they need to keep their code compatible with the buttload of non standard features they've introduced over the years (mainly things like activex windows-specific plugins) that people have build applications on top of. If they were to release something that was stripped down (yet retained all the functionality of something on the level with Firefox) and gave the user a choice to install the backwards-compatible mess, they might get out of this situation.
Of course they won't because that gives people a migration path off IE (and eventually off Windows).
Re:I wonder how much market share... (Score:2)
The longer they hold out, thats one more reason people will want to upgrade to longhorn
Re:I wonder how much market share... (Score:2)
Adequate bash.org quote (Score:5, Funny)
Re:Adequate bash.org quote (Score:2)
Re:Adequate bash.org quote (Score:3, Funny)
Re:Adequate bash.org quote (Score:2)
Re:Adequate bash.org quote (Score:5, Funny)
Re:Adequate bash.org quote (Score:2)
Screwing for Virginity (Score:3, Insightful)
Re:Screwing for Virginity (Score:2, Funny)
A magic stork?
oh wait.... this is
[OT] Source code for phel ;-) (Score:5, Funny)
The lyrics are kinda fitting, don't you think?
[snip]
When I was younger, so much younger than today,
I never needed anybody's help in any way.
But now these days are gone, I'm not so self assured,
Now I find I've changed my mind and opened up the doors.
Help me if you can, I'm feeling down
And I do appreciate you being round.
Help me, get my feet back on the ground,
Won't you please, please help me.
And now my life has changed in oh so many ways,
My independence seems to vanish in the haze.
But every now and then I feel so insecure,
I know that I just need you like I've never done before.
Help me if you can, I'm feeling down
And I do appreciate you being round.
Help me, get my feet back on the ground,
Won't you please, please help me.
[/snip]
- Help by The Beatles
Trojan Condoms? (Score:2, Informative)
You can pull one over your case and stop the spread of windows and aol. Shipping a trojan condom with AOL cds could also help stop the reproduction of aol users. Way to go Trojan! You set a good example for the rest of us. Windows XP std2 is a threat to us all, and with your help, we may just annihilate it yet! Of course, then you are still at risk for penguin gout, and gnu herpes.... but that's a post for a different story(most likely the double posting of this).
Re:Trojan Condoms? (Score:2)
I wonder ... (Score:5, Funny)
Wow!, please! (Score:2, Informative)
Number of vulnerablities aside... (Score:2)
How many for MSIE?
What's the ratio?
Re:Number of vulnerablities aside... (Score:2)
The problem isn't JUST Windows... (Score:3, Insightful)
The MSFT Party Line (Score:5, Insightful)
That's good, blame the victim. Just what sites are those? Where's the big list of sites you shouldn't visit? We might know where to avoid, but how is Joe User going to know?
Typical MSFT response. Instead of fixing their busted ass software they blame the victim. How's the weather in Redmond today?
Re:The MSFT Party Line (Score:2)
Re:The problem isn't JUST Windows... (Score:3, Interesting)
not quite... there are some cases in which a compromised web site can serve as a 'launch pad' for malware. There are "some" cases like this and not "a lot" because the vast majority of attacks are done by script kiddies who have no fsking idea what and how they are doing it.
I had one server compromised because of a web application vulnerability... and after finishing to diagnose, fix, patch and check I could only say: "Thanks God it wasn'
Re:The problem isn't JUST Windows... (Score:2)
The parent's title I agree with. Yes, users are uneducated. Whose fault is this? Microsoft.
Widows users are quite simply left to fend for themselves after making all the color-coded peripheral connections and pushing the power button. If there's a problem, who provides support for windows? The OEM, not MS (more likely its done by a good samaritan friend/relative). Combine this with a product whose sole design goal is to be user friendly (not secure, well architected, empowering, or sufficiently docum
They always want to catch the bad guys... (Score:4, Informative)
They always want to catch the bad guys but Microsoft itself is never held responsible fot the damages their crippled software causes.
As a software developer myself, I know it's almost impossible to make a big software product 100% bug free but come on... Microsoft's software is becoming ridiculous!
Re:They always want to catch the bad guys... (Score:2, Insightful)
Re:They always want to catch the bad guys... (Score:3, Insightful)
It's been there for quite a while...
The only good thing is that constant media coverage (it's even *slowly* trickling into mainstream media) makes more and more people aware. Few of them will look for alternatives. Many of those make the switch to firefox (because it's easy and has the added bonus of suppressing these banner ads) but only a small number actually looks for another OS - because the only viable desktop alternative is still the mac and those are ex
Re:They always want to catch the bad guys... (Score:2)
Much safer to get the word out that Microsoft is bad at handling these issues, and that their EULA specifically protects them from any responsibility. Luckily, they seem to be doing a very good job of doing that on their own..
What? (Score:5, Funny)
Re:What? (Score:2, Funny)
OSS , GNU/Linux VS Mircosoft (Score:2, Informative)
How about .. (Score:2, Interesting)
duh (Score:2)
hmm (Score:2)
Wasting our tax money (Score:5, Insightful)
Non MS users should contact the FBI and tell them we don't want our tax dollars to go to phel. Let Microsoft deal with it.
Wow! Great point! (Score:3, Insightful)
Basicaly, Microsoft does not care about the costs of security because it does not effect it's bottom line. The costs are "external" to MS.
So, why does the government (meaning we, the people...) allow MS to cost industry, government and citizens billions of dollars without sanction? If this was Exxon spilling oil all over baby seals they would have to pay (a fraction) of the clean up costs and get all sorts of bad PR. With MS it's just Bus
good example of IE design flaws (Score:5, Insightful)
In particular, here we have problems in a scriptable ActiveX control for presenting Windows Help files. It's nice to have that available for Windows integration, and maybe for intranet Web applications (though regular Web pages are fine for the vast majority of online help), but people don't need it for regular Web surfing. There have been tons of flaws in these preloaded ActiveX controls, but Microsoft seems unwilling to change its policy to reduce this attack surface.
Re:good example of IE design flaws (Score:2, Insightful)
> because it has the most market share" is at best
> dubious.
Yes and no.
The market share is certainly not the whole problem, but it is definitely part of it.
1. In retrospect, trying to bind IE so tightly into the OS was a big mistake.
2. The security model chosen for IE was poorly thought out, and is probably the single biggest cause of problems. However, because so much 3rd party software relies on IE behaviour, changing the security mod
Entice? (Score:2)
Why do they always try to make this sound difficult?
Hey everybody, I've got pictures of Natalie Portman naked [inowownyourpc.ru]!
Virus/Trojan problems for Microsoft go way back (Score:3, Informative)
just remember (Score:5, Insightful)
2) Unlike other companies, MS can survive a disaster - (either DOS 4 or 5) was a dog that would have killed any other company; MS survived to fight another day (eg, borland died when they were late with one product). I'm sure
3) IMHO, MS has developed an unusual corp ability - the ability to throw money at a problem and solve it. IF gates and ballmer were really interested, they could release a new IE next year.
4) Gates is laughing at
5) there is something kinda pathetic and geekish and teenagerish in this constant gloating about bugs in MS products. Maybe worm writers don't write for *nix because that is not where the market is - if you r interested in making money, an not tech bragging writes, why wd u care about the geeks using linux. no money and hard to cheat - just not a soft target (the same principal by which "insurgents" choose unarmored Iraqis over armored mobile americans.
Untill there is some reasonably similar user base, any comparision of worms or bugs or whatever you want to call them, between nix and ms, is meanignleess. Its sort of like comparing gas mileage between GM and solectra. Just not a comparison that has meaning in the real world of sales and market share.
6) Since the game gates is playing is market share and sales and PROFITS, maybe he is not that interested in the OS or the browser - maybe they think OSs and Browsers will become commodity objects, and the money is in apps.
think about ibm selling its pc division - companies exist to make money, not technically superior produdts. Sometimes you can win on technical superiority; sometimes not
Re:just remember (Score:2)
(4) is an good point, but I think there is more to it as well. Once companies reach a certain size, they gain the attention of political people of all stripes. The attorneys and lobbyists are probably telling Gates to get IE down to 60% market share. That way there is still a reason for web developers to write to its specialized features/defects (whatever one wants to call them). The lower market share will provide decent defense against the "monopoly" witch hunters, and so becomes an important business con
Re:just remember (Score:2)
The reaction will be to blame the users for not patching. This is Linux here! It's not like we're talking about M$. M$ is evil, and even when something comes out that takes advantage of a vuln that was patched months ago (I know that the vuln discussed here is not like that, so everybody just sit back down) it'
No IE for Mac :(( (Score:4, Funny)
/begin{Sarcasm}
You know, when I found out that Microsoft would no longer develop IE for Macs, I was so sad.
\end{Sarcasm}
Re:No IE for Mac :(( (Score:2)
of totally and completely removing the included
MS IE. And that is one of the very first things
that I recommend new Mac owners do, and install
the F/OSS FireFox & Thunderbird software.
With all the problems and vulnerabilities that
are associated with Microsoft OSes, one must
wonder why any US government agency (like the
US Navy and the Dept. of Homeland Security) would
even consider a MS product, let alone to base
their agencies on.
apology accepted (Score:4, Funny)
Outlook & Outlook Express (Score:2, Insightful)
This could make for a much worse case than having to visit a web site. Just have the preview pane open with these apps and get a spam than contains the exploit.
The machine is remote ... (Score:2)
Does anyone use the word "UPLOAD" anymore?
MS bad practices (Score:2)
Yesterday I updated DirectX on my w2k machine. So I went to Windows Update and first downloaded all the new critical updates. So now my machine is "secure" (as far as MS is concerned). So I proceed to have Windows Update install DirectX 9.1. So now I have a secure box with the latest DirectX, right? Nope. I just happened to go back to Windows Update searching for something else, and
Re:MS bad practices (Score:2)
If M$ would ever start with a clean hard drive and write their next OS from scratch, they might fix most of this. Instead they just add to the exising buggy crap they've had for fourteen years.
windows server 2003 (Score:2)
It is the most no-nonsense version of Windows I've seen since 2000, perhaps more so.
IE cannot be fixed (Score:3, Insightful)
A motorcycle will always be inherently less save than a volvo, no matter what else you do to it. (sure, a safe rider can be safer than an idiot in a volvo).
The design decisions that went into IE make it impossible to secure, no difficult, not expensive, but IMPOSSIBLE.
ActiveX is the most obvious example where functionality/usability/ease-of-use totally overrode security in the design. You can't fix that, just like you can't make a motorcycle safe by adding seatbelts (more here: http://sans.org/rr/whitepapers/awareness/1509.php
Saying it's the users fault is like giving someone a book of matches in a dynamite factory and saying "it's your fault for lighting the match".
IE is a wonderful inTRAnet explorer, filling out timesheets in a low-risk network. Using it on the inTERnet is like entering a demolition derby on a motorbike.
Re:Yep. Firefox is not a threat. (Score:1)
or, possibly "Bah, humbug."
Re:Yep. Firefox is not a threat. (Score:2)
Re:Yep. Firefox is not a threat. (Score:5, Insightful)
Re:Windows Help....bah humbug (Score:3, Informative)
Re:Windows Help....bah humbug (Score:2)
Re:Windows Help....bah humbug (Score:2, Insightful)
Re:Windows Help....bah humbug (Score:2)
You're right about that. We've just started getting our first XP boxes (Dell won't sell us Win2k pre-loaded any more), and I was amazed when installing our ancient version of the GroupWise client when an alert popped up. It said that the version of Windows Messaging that shipped with that version of GroupWise wasn't compatible with XP. That alert had a link to Windows help which not only had a full explanation of
Re:Jeezus people! (Score:2, Funny)
Re: Jeezus people! (Score:2, Interesting)
Good for you! But with all these vulnerabilities and resulting spyware bogging down your Windows install, the shit creeping in before you manage to download & install the latest patches, I am really impressed you actually get any work done (and managed to make this Slashdot post).
I don't consider yet another worm 0wning my box and hand
But to those fools, it IS just a little thing (Score:2)
I don't consider yet another worm 0wning my box and handing it over to a spammer, a little thing. But okay, YMMV.
But to Windows users and Microsoftie trolls, apologists, and astroturfers, having your system 0wned by a sp@mmer and infecting 10,000 other computers with the latest Microsoft Worm, Virus, or Trojan is just a little thing. Hardly worth mentioning, often beneath their notice.
No one likes having their stupidity pointed out to them
Re:grammar? (Score:2)
Would you say "HTML" starts with "a H"?
Re:grammar? (Score:2)
wrong.
consider: an honest person, and sometimes an historic event.
Re:phel I need help (Score:2)
Re:Enough is enough! (Score:2)
Re:Right on time! (Score:2)
Re:Symantec's Threat Assessment (Score:2)