IE Flaw Gives Hackers Access To User Files

snydeq writes "Microsoft warned that a flaw in IE gives attackers access to files stored on a PC under certain conditions. 'Our investigation so far has shown that if a user is using a version of Internet Explorer that is not running in Protected Mode an attacker may be able to access files with an already known filename and location,' Microsoft said in a security advisory. The vulnerability requires that an attacker knows the name of the file they want to access, according to the company."

*sigh* ... blame Netscape.

[hey!]

Had Microsoft not needed something to drive a stake through Netscape's heart, it wouldn't have needed to concoct it's own Frankenstein's monster of confused and misbegotten priorities.

WHY THE FUCK DO PEOPLE STILL USE IE?

[Anonymous Coward]

This is just fucking stupid. WHY DO PEOPLE AND BUSINESSES STILL USE IE?

We KNOW it's full of holes. Not just small ones, but literally, gaping goatse-sized holes. This is a perfect example, to go along with the hundreds of other problems we know of.

There are so many alternatives today! We are living in a time of plenty when it comes to browsers. I mean, we have Opera that runs just about everywhere. We have Firefox if you want extensibility. If you prefer the feel of the old Netscape Communicator suite, ther

Re:

[calmofthestorm]

I read about vulns in Firefox pretty often too. Granted, IE's tend to be stupider and MS's policy of ignoring vulns until they're shoved in their faces with an in-the-wild exploit (and then only patching once a month) is pretty awful, but it's not like other browsers are a magic bullet.

That said, i wouldn't be caught dead using IE, nor let friends or family do it.

Re:

[gstoddart]

That said, i wouldn't be caught dead using IE, nor let friends or family do it.

I can't even begin to tell you the number of sites required by my previous employer that required IE, and there's always a couple here and there that want ActiveX or what have you.

I do 99% of my browsing in a Firefox with noscript installed and a fairly locked down policy. I have found I pretty much need to keep an IE laying about for those really stubborn sites which require it, and which I'm willing to use.

Generally, I agree w

Re:

[sopssa]

If a site needs IE today, I don't need that particular site.

Good luck trying to tell that to your boss.

Re:

[Sancho]

Sure. But then we're probably talking about home computers. I don't ever use IE for personal work. If I have to use it for work, it's on a company computer.

Re:

[kent_eh]

The only work site I have to use that says "IE Only" works just fine in Safari.
Or FF with the IE Tab plugin (though technically that's still using IE)

Re:

[cbs4385]

I work in the US Health Care Industry, principally making tools for hospitals to use a patients electronic health record. The majority of our clients are forced into using IE6 by their IT departments.
There's a reason I use my HIPPA rights to make sure my records only live on paper.

Re:

[Jim_Maryland]

My employer has a web based time reporting system that is only functional in IE. I used to be able to make it work with Firefox but they've modified it to only work with IE now. If I want paid, I need to use IE for that. Some of the training courses are also IE only, but for everything else, Firefox is my default browser.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[LikwidCirkel]

If you give people a free car with houses, that "works" enough to get to A to B, then how many people will make the effort to get a different free car if they're not aware that there is anything wrong with the first one?

Re:

[c_sd_m]

The OP's point was closer to "if Fords were free, how many people would bother to buy Hondas?"

Re:

[sopssa]

It doesn't work like that. There are billions of sites on the internet. If your site doesn't work with them, they go somewhere else. And it would be quite stupid to ignore a browser that holds the largest market share. Sad, but true.

Re:

[DJRumpy]

Irrelevant for this issue, as it appears to affect all versions of IE with Win 2000, XP, and Server 2003 affected. From TFA:

"The IE vulnerability disclosed on Wednesday, which is caused by incorrectly rendering local files in the browser, affects several versions, including Internet Explorer 5.01 and IE 6 on Windows 2000; IE 6 on Windows 2000 Service Pack 4; and IE6, IE 7, and IE 8 on Windows XP and Windows Server 2003, Microsoft said."

Unless someone is running Vista, or Win 7, they are at risk.

Re:

[thrawn_aj]

Only one reason as far as I'm concerned - Netflix instant viewing. Won't run in FF at all (as per their policy as well - dunno if there's a hack that can do this). So, I have IE for Netflix and FF for everything else. Actually not a bad deal as I've set IE to open Netflix logged in - that way it works just like a TV ;-) with the browsing kept to the TV guide minimum.

In fact, any ideas on getting around this would be appreciated.

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[Blakey Rat]

Only one reason as far as I'm concerned - Netflix instant viewing. Won't run in FF at all

It won't? What the hell have I been doing for the last 6 months?! I must be delusional.

Or, more likely, you have your Firefox tweaked all to hell and you're blaming Netflix for your own tinkering. Believe me: it works fine in Firefox.

Re:

[sopssa]

Because none of the browsers you listed are as easily configured enterprise wide as IE is with group policies.

Exactly. This is a thing OSS developers usually miss. They develop primarily for home users or single users and have no idea how it works in work place, while MS understands a need for enterprise solutions.

Re:

[jimicus]

Exactly. This is a thing OSS developers usually miss. They develop primarily for home users or single users and have no idea how it works in work place, while MS understands a need for enterprise solutions.

"Understands" is a bit of a strong word. While Group Policies solve a lot of problems, PowerShell should have been developed about ten years earlier.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[mlts]

Devil's advocate: The parent AC post stated one of the biggest reasons why IE is prevalent. The other is that IE is part of the OS. Because of this, it is already vetted by the legal eagles, the licensing bean counters, and the other muckety-mucks you find in larger companies. There is no need to get IE approved as part of an official corporate image, because it is present, like it or not. So, companies tend to use it because it is there, it has decent security on Vista and Windows 7 (especially combin

Re:

[zonky]

There is the community edition which does have these, but i totally agree, while Chrome or Firefox don't ship a version with group policy i'll never understand.

This is bad.

[Buelldozer]

When you go to my website I know what the cookie name is and I know the default file system location for that cookie. This one seems pretty bad.

Pesky NTOSKRNL.EXE

[fibrewire]

Nobody knows where i keep THIS file.

Re:This is bad.

[girlintraining]

When you go to my website I know what the cookie name is and I know the default file system location for that cookie. This one seems pretty bad.

You seem to forget that Windows XP, Vista, and Windows 7 all have file indexing enabled by default. By accessing those hidden .db files, you can get the complete list of filenames in each directory, including the names of the subdirectories in some cases.

Re:

[Buelldozer]

I was serious. :-D

I'm not a programmer nor a webmaster so this stuff is a bit opaque for me.

However, now that I know your computer is vulnerable (by using this method to access my own cookie) what would prevent me from going on a fishing trip for other cookies? Say...ones from your bank, or Amazon, or other high value websites?

Package that up into a script and you could probably scan for 1,000 different cookies in the time it took you to read my post.

Re:

[Z34107]

Package that up into a script and you could probably scan for 1,000 different cookies in the time it took you to read my post.

Definitely! Reading everyone else's cookie is much more interesting than using an exploit to read your own cookies! :P

Re:

[Pastis]

1000 cookies! Fast way to a diet !

Re:This is bad.

[jimicus]

Well, if any of those cookies are being used by supposedly secure sites to remember somebody's login so they can conveniently purchase in future, you may well know enough to log into their account on those shopping sites and get their real name, address and purchasing history. From this point, it's not a particularly large step to large-scale identity theft.

Re:

[JoshuaZ]

Someone please mod parent up. This is an excellent example of an exploit that at first glance looks harmless but could be used for very nefarious ends.

I wonder...

[Ismene]

I wonder how many people have a "passwords.txt" file in their Documents. ;-)

Re:I wonder...

[byrdfl3w]

Whew! Thanks! I deleted all my password.txt files before some nasty hacker got to me.
Now I gotta tell my friends about this! Hold on while I log..

Oh crap.

Re:

[Bob The Cowboy]

This is why I keep my password file encrypted. Any I don't use that standard '.txt' extension either. Mine is 'passwords.rot13'... no one would ever guess that!

Re:

[MichaelSmith]

Even doing something like your name / word + some unique number + some random color is enough for a decent password. (caps on one side of the number)

Oh come on. That will never work for my mother. She is lucky if she can avoid losing the slip of paper her password is written on, even if the password is her birthday.

Flawed

[mcgrew]

an attacker may be able to access files with an already known filename and location

One more reason not to keep your files in "My Documents". That part is easily guessed; "2009 Income Tax Returns" would be easy to guess as well.

"Protected Mode prevents exploitation of this vulnerability and is running by default for versions of Internet Explorer on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008," it said.

Does XP have a protected mode? That's the version of Windows most people use IINM. Is this a ploy to get people to upgrade from XP?

Microsoft hasn't seen any attacks that exploit the flaw and has yet to decide whether to repair the flaw through its monthly security patch release cycle or an urgent, out-of-cycle update.

Has yet to decide whether to repair it? Hmmm... Ok, they're trying to decide when to. How about doing what every other browser company does and give us the patch NOW?

Re:Flawed

[radish]

Is this a ploy to get people to upgrade from XP?

I'd say it's (yet another) reason to stop using a 9 year old OS. How many of the major linux distros still support versions that old? How many people would recommend continuing to run a version that old?

Re:

[Seth Kriticos]

I have to agree. I'm open for 4-5 years of long term support for server OS's and very stable versions, but 9 years is just ridiculous.. well, would be normally, but there was not much option after XP for a long while and then came Vista.. go figure.

Re:

[mcgrew]

How many of the major linux distros still support versions that old?

We don't have to as it's free, but there would be a lot more if Linux cost $500 ($100 for a "home version" upgrade) like Windows does. Lots of people don't even pay $500 for their computer.

Re:

[mcgrew]

Agreed, although maybe not at a $500 price point. If Linux were $100 and Windows was $50, I'd choose Linux. Hell, if Linux was $100 and Windows was free I'd still choose Linux. But if Windows were free and Linux cost $500, I'd bite the bullet and use Windows. Five hundred bucks is a lot of money to me.

Re:

[Quantumstate]

I am sure that if Linux and Windows were the same price I would use Linux. I can say this with certainty because I have bought a copy of Windows but I use Linux instead >95% of the time (non-gaming basically). I would probably be willing to pay about £100 for Linux.

Re:

[ichthus]

How many of the major linux distros still support versions that old?

How many of the major Linux distros' later releases suffer from a performance downgrade?

Re:

[frank_adrian314159]

First of all, it took the company who made the OS eight years to come up with a suitable replacement (or, at least six, if you want to count the relatively usable W2K8 server as a replacement for a desktop system), so I only look at the OS as two years out-of-date at most.

In addition, Win7 requires more processing power than XP to gain reasonable advantage over XP, requires the user to learn new UI and administrative skills, and often requires replacement of software and hardware for which no Win7 versions

Re:Flawed

[drinkypoo]

The difference is that a lot of software which works on Windows XP is broken on Windows 7, including several games that I tried, whereas for the various Loki games that don't work there's Loki_Compat, and for most everything else you have source and can recompile. There's still ample reason to use Windows XP, because for many tasks it is superior to modern Windows. Of course, there are limited cases where this is true for Linux as well, such as when you desire to run OpenMOSIX which AFAIK last worked on 2.4 series kernels.

Re:

[notseamus]

I can see this being a big problem for business users too.

We issue all files to external parties as pdfs/dwfs so they're basically read only, but there's a tracker reference for internal use which is on this, and I've seen this a lot before too, so I imagine that it could expose something that is supposed to be locked away for contractual reasons to being accessed, modified and distributed.

We also use XP, some essential software can't handle 64 bit xp, nevermind Win 7, so we're stuck here for a while at lea

Re:

[Dracos]

Well, what blackhat could pass up easy access to anything in C:\WINNT\system32, or the paging file, or any other critical file, from the web?

Re:

[Anonymous Coward]

> Has yet to decide whether to repair it?

No, has yet to decide whether to repair it now or wait until Patch Tuesday.

There are plenty of legitimate reasons to criticise Microsoft (like leaving things unpatched until Patch Tuesday) but misinterpreting their statements doesn't help anybody.

Re:

[Z34107]

You might not even have to guess the tax-returns folder. I wonder if you could iterate through all possible files/paths inside My Documents and brute-force a listing.

Re:

[Carnildo]

I wonder if you could iterate through all possible files/paths inside My Documents and brute-force a listing.

It's possible but not practical. A decade ago I did this as part of a proof-of-concept virus; iterating through all possible 8.3 filenames would have taken just under a century.

Re:

[MobileTatsu-NJG]

It's possible but not practical. A decade ago I did this as part of a proof-of-concept virus; iterating through all possible 8.3 filenames would have taken just under a century.

I know the longer filename support in Windows would take longer to brute force, but wouldn't that also make a dictionary attack more feasible since fewer constraints are placed on the user's naming of files?

financial information vulnerable

[commodoresloat]

That part is easily guessed; "2009 Income Tax Returns" would be easy to guess as well.

Oh shit ... hackers can find out how broke I really am!!

Re:

[grcumb]

an attacker may be able to access files with an already known filename and location

One more reason not to keep your files in "My Documents". That part is easily guessed; "2009 Income Tax Returns" would be easy to guess as well.

I'd be more concerned about the accessibility of files like Normal.dot - the default MS Word template. Stick an autoexec macro in there, and you'll learn quite a bit about the system.

Understanding Protected Mode

[Bacon Bits]

Protected Mode is the "sandbox" feature present in IE7 and IE8. It uses UAC that's in both Vista and 7 to run in an even more limited fashion, but not in XP. If you've got UAC disabled, you're not running Protected Mode and you're vulnerable. There are other [mydigitallife.info] ways which Protected Mode can be disabled.

It's best to check out the blog entry on the MSRC [technet.com] and the Knowledge Base article [microsoft.com].

We now return to your regularly scheduled Microsoft bashing and Linux referrals already in progress.

Re:

[mlts]

XP does not have a protected mode. The next best thing would be to run a virtual machine utility and browse in that. Then when done browsing, close the VM and have all changes rolled back to the previous snapshot. If you want bookmarks preserved, put that directory on another virtual drive that keeps its state (and doesn't get rolled back like the system.)

Barring running in a VM, you can create a non-admin user in XP, switch to that for your Web browsing, and only use that user for browsing. Your sensit

Or...

[Dorkmaster Flek]

How about the system doesn't allow the fecking web browser to read your personal files? The purpose of My Documents is to have an easy space to store everything and keep it organized. How is the solution to this ridiculous bug to not utilize such a useful feature?

Re:

[mcgrew]

How about the system doesn't allow the fecking web browser to read your personal files?

Come on, man, it's Microsoft we're talking about!

Re:

[jimicus]

Has yet to decide whether to repair it? Hmmm... Ok, they're trying to decide when to. How about doing what every other browser company does and give us the patch NOW?

Some of us are old enough to remember before Microsoft implemented Patch Tuesday. The official reason was simple - companies were sick to death of having new patches to test, deploy and roll out several times a week.

Myself, I take the view that if a company large enough to test, deploy and rollout patches on a managed basis can't institute their own timetable rather than rely on that provided by a third party they have huge problems. But what do I know?

Re:

[initialE]

But keeping your shit where your shit ought to be is a key best practice - you can't reasonably expect to change that now. Imagine if programmers were to throw their files all over the system directories and requiring all kinds of administrator privileges to run. Now imagine users needing the same rights just to get to their files.

Re:Flawed

[cbhacking]

Protected Mode requires a substantial change to the process security model. Basically, until Vista/Server 2008, NT followed what was essentially the *NIX security model, where access permissions of a program were determined by the user/group the program was run by. There are differences in implementation between NT and the various POSIX systems, but that's the general idea. The problem is that when the vast majority of your users run with nearly full access to the system, one misbehaved (vulnerable) program can bring everything crashing down.

In NT6 (Vista/Server 2008), Microsoft introduced a new concept of process integrity levels, which are a per-process (rather than per-user) level of security. By default, programs run with medium integrity, which means their access permissions are basically what they were before. High integrity processes, such as system processes or anything run with actual Administrator permissions, can access anything but can't be accessed by lower-integrity programs (which helps prevent elevation of privilege from a non-Admin program.

The relevant datum here is that Internet Explorer runs (by default) with Low integrity, which means it has extremely limited access to the rest of the system. A low-integrity process can't start medium-integrity processes, can't write to the vast majority of the filesystem (there's a special low-integrity folder for things like Temporary Internet Files) or registry, and basically is unable to cause any harm. The trick is, it has these limitations regardless of the permissions of the user who runs the program.

XP can't do that. If you, as a user, can write to a location, any program you start can too (unless you tell Windows to start it as another user). Therefore, since Protected Mode is just Microsoft's term for "this process runs with low integrity" and XP can't *do* low integrity, no, you don't get Protected Mode on XP, and never will (it would require a substantial change to the kernel security subsystem).

Re:

[Leynos]

C:\users\%USERNAME%\Documents anyone?

Re:

[initialE]

on all versions of windows, %userprofile% will get you to your home directory - even if you didn't install your windows on C:, have multiple versions installed on the same partition, or tried to obscure stuff in any way.

Re:

[Tikkun]

1. Open Windows Explorer.

2. Enter "%homepath%\Documents" into the address bar and press enter.

3. Profit!

Re:

[thePowerOfGrayskull]

No, it's the same back to Win2000. But still - you've got a better-than-fair chance of success if you run a series of values like "john", "pete" for XXX and "password.txt" for the file name.

Re:

[natehoy]

Actually, in Windows XP, it's C:\Documents and Settings\(username)\My Documents. That's true whether you are on a domain or not. So that is certainly a mitigating factor even back in XP, because a remote attacker is unlikely to know (username).

However, that's not the case on some machines. The default install from most manufacturers is one preinstalled user, who is Admin, with a default username set by the manufacturer. Dell uses "Default" for this, last I knew. So a lot of people are still vulnerable

c:\Windows\System32\

[LikwidCirkel]

Hmm.. the most obvious predictable file names are conveniently the most dangerous for someone to have access to.

Re:c:\Windows\System32\

[eln]

The article seems to suggest (although does not explicitly state) that the hacker would be able to read the files, not overwrite them. If that's the case, I don't see why the System32 directory would be that important, unless you keep secret data embedded in your system binaries.

Re:

[WillAffleckUW]

yeah, it's not like there are stored connection strings to databases ... um ...

Re:

[Sleepy]

That's not the case.

It's not like memory dumps don't ever get dumped there if you had an OS crash, and it's not like memory dumps would ever contain user data like user passwords. There's user data in there. Where does the REGISTRY get saved???

This is BAD.

Re:c:\Windows\System32\

[radish]

Except as far as I can tell from the advisory, the files are read only.

Re:

[pipatron]

Actually, a very important distinction of the word "access" was not mentioned. This flaw only seem to give read access to the files, so you can not just modify any file you wish.

It's still a major security flaw, of course, but will be slightly more difficult to exploit. It's great for targeted phishing though. You'll be able to find out a lot about the target.

Re:c:\Windows\System32\

[hawaiian717]

C:\windows\system32\config\sam

Read-only access is all you need...

Re:

[Z34107]

That's why I install the Windows OS on my Z drive.

Then you're running a vulnerable operating system. For compatibility with brittle programs, Vista and 7 label whatever drive they booted from "C."

CVE-2010-0255

[Anonymous Coward]

Core Security Advisory FTW [coresecurity.com]

Holy Flashback, Batman?!

[__aaclcg7560]

The last time I dealt with "protected mode" on a 80286 [wikipedia.org] CPU when DOS ruled the world. I had an ISA memory card that could page memory above the 1024K limit for applications or as a RAM drive.

Re:

[Cro Magnon]

My first thought when I saw "Protected Mode" was that anyone who is still using an 8088 deserves to get pwned.

Re:

[Z34107]

"Protected mode" is a marketing term meaning IE takes advantage of Vista's new permissions model. It means it's a low-privilege process and has most of its file system access effectively jailed or redirected.

Long-winded article here [microsoft.com], but I'm guessing the hack doesn't work in "Protected Mode" because the browser itself doesn't have much file system access.

I'm really getting sick of this excuse

[apparently]

"The vulnerability requires that an attacker knows the name of the file they want to access, according to the company."

Good thing no one knows to look for: "%USERPROFILE%\My Documents\Quicken\qdata.qdf"

Re:

[should_be_linear]

or maybe registry DB. There is lot paths to various documents there...like recently used etc.

Modifying hosts.txt

[Jorl17]

Modifying hosts.txt could be one of the biggest issues with this one. And yet, it's just another flaw much like there are hundreds of others in any browser.

Re:

[natehoy]

Actually, the security advisory describes the attack, and while the remote attacker would have access to any file the local user does, it does not appear the file could be altered, just copied or examined. The security bulletin never lays this out in uncertain terms, but the description of the actual process looks like a read-only one.

Given that Windows usually stores important stuff in c:\Documents and Settings\(username)\blahblah, the remote attacker would have to know (username) before they could get to

Re:

[ZachPruckowski]

Actually, this news story [taranfx.com] suggests that you have to have certain HTML/JS files planted in the user's shared folder for the flaw to work. So it's even less dangerous than implied (not that you shouldn't worry about it).

Re:

[natehoy]

http://www.microsoft.com/technet/security/advisory/980088.mspx [microsoft.com]

When in doubt, go to the source. Microsoft has a pretty decent write-up on this one. I don't know who taranfx.com is, but the only accurate bits of information in their article are what they cut-and-pasted from the Microsoft site. The rest is, umm, "fanciful". Sorry, I gotta call 'em like I see 'em.

Oh, one other useful bit from their stie... that everyone should stop using IE. Now.

I'd also add to only run a browser that has something like No

Re:

[natehoy]

No, the security advisory should have put "read-only" access as one of the mitigators. I'm frankly surprised it isn't, since that's a pretty severe mitigating factor. Most of the files you'd really want a copy of (Quicken, Money, etc) are located in the harder-to-predict user folders, and the files you can find easily would only be useful if you could alter them.

They strongly imply that the attacker has the same level of access to the files that the local user does, which when you read the actual attack m

Only under certain circumstances.

[140Mandak262Jamuna]

There is nothing to see here folks, move on. The bug kicks in only under certain circumstances. The circumstances are apparently running a Windows system with Internet Explorer as the default browser. Come on, how many slashdotters do that?

Re:

[mcgrew]

The circumstances are apparently running a Windows system with Internet Explorer as the default browser. Come on, how many slashdotters do that?

I'd say close to 100% of the people who work for Microsoft, all of whom I'd guess are on slashdot.

Re:

[natehoy]

Right, but they are all running Windows 7.

My company runs XP, and provides IE6 by default. So did my last two companies. Not that I use IE for anything but the Intranet, but most people still use it for all their browsing needs.

Re:

[deadhammer]

The circumstances are apparently running a Windows system with Internet Explorer as the default browser. Come on, how many slashdotters do that?

How many slashdotters' parents do that? I'd say a good deal many of them.

This affects more than just you. Or maybe it does affect you: what's your setup at work like?

Windows.edb = windows search index

[electrogeist]

If they grab the windows search index file then they'd have a map to everything else?

get \ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb (vista)
or \All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb (xp)

and http://www.simplecarver.com/tool.php?toolname=Windows Search Index Extractor

My filenames:

[stimpleton]

Hi have tourettes. This manifests in two situations, when ordering at a drive-thru and, oddly, when coming up with a file name. I think I am safe from this attack: whoreShitSlittySlutFuckCrevice.rtf

Re:

[dtolman]

Uh oh - I have the exact same filename. Best to change them to some really unguessable (and horrific) file names: MyLittlePonyRules.rtf IHeartStrawberryShortcake.xls MadeleineAlbrightNaked.jpeg

Firefox Mode

[markalot]

I run IE in Firefox mode, so I think I'm protected. ;)

Question

[ShooterNeo]

Couldn't you access some kind of index file that would allow you to find everything else? Or are those files too low level for it to be accessed this way?

Hmm, how about the document search index?

[Jason Pollock]

Because there isn't an easily found, well known file that is a handy index of all of the files on your system:

\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb

http://en.wikipedia.org/wiki/Windows_Search [wikipedia.org]

Re:

[Hurricane78]

Wouldn’t that file be pretty huge? (No Idea. No Windows here.)
Also: There is no C:\ProgramData. (At least in XP.) Did you mean $HOME\Application Data, or C:\Programs?
Or is that a Vista thing?

You mean like...

[Sfing_ter]

You mean like...
C:\users\%username%\AppData\Local\Microsoft\Outlook\outlook.pst?
hmmm...??? like that?

I can see it coming....

[Asadullah Ahmad]

If things keep going like this regarding Microsoft and clever words, pretty soon this will be on Slashdot:

"Microsoft has announced that it is investigating a vulnerability in IE where an attacker can gain access to customer's computer if they are connected to Internet. But as all versions of Windows do not have internet access by default, most users are not vulnerable"

.

Seriously?

[pclminion]

So you turn off something called "Protected Mode" and you're surprised that this may cause problems?

Re:Steam

[legio_noctis]

Unfortunately, the thread asking for Webkit in Steam at http://forums.steampowered.com/forums/showthread.php?t=861863 [steampowered.com] demonstrates how clueless the average gamer is about standards etc.

Some choice quotations:

"ie is fine"

"I'd rather not have steam bloated with redundant tech right now."

"Also W3C != Web Standards, and IE aren't the only ones not complying with the "standards", Firefox didn't comply with all W3C published recommendations either.(Don't know if that's still the case) [...] Microsoft is a business, and they don't want to take the blame because of a third parties inabillity to properly design websites. That is their design goal, and as the W3C isn't enforcable, as it's not considered a standard"

"It works, it is secure and it isn't that slow"

"IE is fine, and so was Windows 98."

"there is nothing wrong with the day-to-day performance of Trident."

Re:

[sopssa]

Well to be fair, they are somewhat correct. While I don't like the clunky browsing withing steam or the in-game overlay, switching over to other engine would be a lot of work and testing to Valve and could create even more problems to users. And that's all while the browser component is a side thing.

For example IE and it's embedded component is supported on all versions of Windows. If Steam were to integrate their own browsing engine, they would have to make sure it works for 100% of users and they would ha

Re:

[VGPowerlord]

Yes, but Firefox has things from HTML 4.01 that it still doesn't implement correctly. The col tag and its attributes come to mind.

Re:

[Sleepy]

>Nobody ships with all of the W3C published recommendations. That's just stupid. You can't hit a moving target like that.

No no no no... red herring... you've been misled.

A browser does NOT need to support all W3C recommendations.
This is true for all browsers, even for IE.

What all browsers are EXPECTED to do is - "if" they support a recommendation - that they do what the recommendation SPECIFIES.
In other words, you choose to a CSS attribute CORRECT.. or do it NOT AT ALL. IE would randomly do something *u

Re:

[ColdWetDog]

That time of ....

Sorry, never mind.