Microsoft Says, Don't Press the F1 Key In XP 324
Ian Lamont writes "Microsoft has issued a security advisory warning users not to press the F1 key in Windows XP, owing to an unpatched bug in VBScript discovered by Polish researcher Maurycy Prodeus. The security advisory says that the vulnerability relates to the way VBScript interacts with Windows Help files when using Internet Explorer, and could be triggered by a user pressing the F1 key after visiting a malicious Web site using a specially crafted dialog box."
Well, at least the important keys still work. (Score:5, Funny)
Re: (Score:3, Insightful)
Re:Well, at least the important keys still work. (Score:4, Informative)
http://www.randyrants.com/sharpkeys/
This will remap any(?) keys in windows at a registry level.. including media keys and the f > 12 keys.
Re:Well, at least the important keys still work. (Score:4, Funny)
Re:Well, at least the important keys still work. (Score:5, Funny)
Welp, a long time ago I disabled the very annoying Insert Key on my computer with a simple hardware fix.
1) Get a flathead screwdriver.
2) Place screwdriver underneath problem key.
3) Place left hand approximately 1 foot (~0.3 meters) above problem key.
4) Use leverage to pop key out of keyboard.
5) Your left hand will block the deadly flying plastic. Be careful not to stab yourself with the screwdriver! Better to have to search around for a plastic key than dig a flathead screwdriver out of your hand.
Re:Well, at least the important keys still work. (Score:5, Informative)
autohotkey.com
Open source programme that allows you do do anything with your keys. Careful though, once you start you won't stop.
Yes, AutoHotkey. Change any key to anything else. (Score:2)
Re:Yes, AutoHotkey. Change any key to anything els (Score:5, Funny)
AutoHotkey: Editor with syntax highlighting. (Score:4, Informative)
I just checked. My AutoHotkey script is 1,639 lines, 52,140 bytes. That doesn't include the special scripts.
The source code is available [autohotkey.com], as is a GUI creator.
The AutoHotkey programming language is quirky.
AutoIt [autoitscript.com] has a more standard language. AutoIt is better for complex automated installation scripts, for example. AutoHotkey is better for hotkeys. Both offer compilation of their scripts to
I tend to mix/match (Score:2)
Re: (Score:2)
I seem to recall the Necronomicon mentioning that as a way to summon (but not bind!) a Byakhee...
Re:Well, at least the important keys still work. (Score:4, Informative)
Presumably autohotkey has to stay running in the background?
If you just remap your keys nothing extra has to stay loaded :
http://vlaurie.com/computers2/Articles/remap-keyboard.htm [vlaurie.com]
or Remapkey.exe from the MS server 2008 resource kit : http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en [microsoft.com]
Re:Well, at least the important keys still work. (Score:5, Informative)
More importantly, is there a way to disable F1 in Windows? I can't tell you how many times I've accidentally hit it when trying to hit Esc.
Regedit: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\HELPCTR.EXE
For the default key at the top usually named (Default)
Either delete the path to helpctr.exe so the value is blank (Value not set), or download the dummy.exe from the actual directions below and point it to that.
http://www.hydrous.net/weblog/2007/06/23/disable-f1-in-windows-exporer [hydrous.net]
Re:Well, at least the important keys still work. (Score:5, Funny)
Best to change it to:
Shutdown -s -f -t 00
Will make windows much more efficient :)
Re: (Score:3, Insightful)
More importantly, is there a way to disable F1 in Windows? I can't tell you how many times I've accidentally hit it when trying to hit Esc.
A screwdriver will work. It's even cross-platform.
Re: (Score:2)
Re: (Score:2)
More importantly, is there a way to disable F1 in Windows? I can't tell you how many times I've accidentally hit it when trying to hit Esc.
same way I got rid of the Windows key, A Flathead screwdriver.
Funny you should mention this (Score:2)
Re:Well, at least the important keys still work. (Score:5, Funny)
More importantly, is there a way to disable F1 in Windows?
Possibly. Press F1 and look it up in Windows Help.
Re:Well, at least the important keys still work. (Score:4, Funny)
Or you could use FF/Opera/Chrome. Really the title should be, Don't use IE in XP.
Re: (Score:2)
Re:Well, at least the important keys still work. (Score:5, Funny)
Re: (Score:2)
Re: (Score:3, Funny)
woosh
Re:Well, at least the important keys still work. (Score:5, Funny)
BEST DECISION I EVER MADE.
Everyone knows caps lock is cruise control for cool.
Re:Well, at least the important keys still work. (Score:5, Insightful)
Just now, for the first time in my life, I pressed F1 in Windows on purpose.
Lots of interesting information is in there, and I even learned a few things (I didn't know XP had a private character editor [wikipedia.org]). But I don't know anybody who uses the windows help system on purpose.
Google already provides good help for Windows.
Re: (Score:2)
Ah, gee, I feel sorry for you guys who didn't get to play with Windows 3.0 in the Spring of '90 :-) Back then we read all the help files cover to cover, cause it was nearly the only thing you could do on the thing.
Then play some Door programs :-)
Re: (Score:2)
In the old days you actually had to THINK to figure out how to do something on the PC. Real actual honest to god research and thinkin about something. No foolin!
Re: (Score:2)
But I don't know anybody who uses the windows help system on purpose.
The people who use F1 for help are the same people who use WindowsKey+E instead of going to My Computer. F1 for help is standard for as long as Windows has been around and it is also context specific. If you hit F1 in an application, you get help for that application. Some applications take it even further and bring up function specific help depending on what portion of the application your mouse is hovering over, or your cursor is foc
Re: (Score:2)
Uhhh, did you look at the first hit? Might want to proofread your Google links before using it to make a point...
How to Upgrade Linux to Windows XP | eHow.com ...
How to Upgrade Linux to Windows XP. Since Linux operating systems use different file systems than Windows, the hard drive must be formatted with either
www.ehow.com Computers Operating Systems Windows - Cached - Similar -
Re: (Score:3, Informative)
I thought you were doing the typical "fixing Windows is easy, just install Linux!" joke... which appeared to fail based on the first hit, since it was how to install Windows ;)
As for FAT vs. NTFS, how many people know the difference between disc and drum brakes? I don't know if knowing about filesystems is a requirement for using a computer - or that it even should be. If you want people to switch to Linux (hey, I think it's a good idea too, most of the time :) ), requiring them to read about filesystems
Re: (Score:2, Interesting)
First you say it really doesn't matter if Windows users know anything about how their system is set up and how things work, but then go on to explain how their ignorance about how things work is their greatest weakness. You pretty much defeat defeat your own argument without realizing it.
Re: (Score:3, Insightful)
You pretty much defeat defeat your own argument without realizing it.
GP is comparing two broad classes of knowing how things works, and asserting that ignorance of one of them is a problem. This is not contradiction, it is drawing a distinction.
I don't need to know how my fuel injection system works, but I had better know what to do at a stop sign.
Re: (Score:2, Insightful)
I don't think that pointing people to community resources is a bad thing. In the vast majority of cases, unless it's a very, very, odd forum/community if bad advice is given that advice will be promptly nullified.
I haven't used Windows in years so I'm very used to community support. I find it better than formal support because there is usually at least a couple of people on every help forum who have a real knack for explaining things to non-technical people. Also, getting more than one point of view, and
Re: (Score:2)
As for FAT vs. NTFS, how many people know the difference between disc and drum brakes? I don't know if knowing about filesystems is a requirement for using a computer - or that it even should be.
Should be? No. Is? Yes. Disc vs. drum brakes make a certain amount of difference to braking performance, but having drum brakes won't make it easier for people to steal your car, or cause it to suddenly stop working while you're driving. Modern computers are simply not comparable to modern cars. They're more like the Model T -- reliable and affordable enough to be useful to a lot of people, but still not something you want to depend on without a decent set of tools and a fair amount of mechanical know
Re: (Score:3, Interesting)
I take it you have never had a "classic" car with drum brakes all around. I assure you that drum brakes can suddenly stop working; they are far more susceptible to fade than disc brakes with vented rotors, and if you don't know to ride the brakes a bit after driving through puddles if you have drum brakes (to boil off the nice layer of water that ends up being a great lubricant on t
Re: (Score:2)
About two hours' difference when it's time to do the brakes (or more if the drums have a deep ridge and the cylinders and springs are nice and clogged up with brake dust and rust). In one of my cars I can do the brakes in ~15 minutes per corner. On my GMC 1500 (now junked thank god) the rear drum brakes alone would take ~2.5 hours (the fronts weren't so bad, being disc).
Did you use fat32--ntfs converter? (Score:3, Insightful)
The stock command coming with XP can convert FAT32 to NTFS in matter of minutes. I guess it would take seconds if it didn't do a chkdsk internally. Now, instead of all that trivial junk being told to user while installing Windows XP, MS could say "We introduce a new filesystem with Windows XP, it is faster, more reliable and has more features. It also makes checking disk needless." with "Convert my startup drive to NTFS" checkmark selected.
That time, users would move to NTFS and no, they would still have no
Re: (Score:3, Insightful)
The actually funny part about this is that most users find that they hit F1 triggering help files on accident - Windows help has long such been little to no help at all, offering nothing you didn't already know. Most of the time you are meaning to press F2 to rename something.
Re: (Score:2)
Re: (Score:2)
Windows XP Help is great when it comes to finding out whether you have a counterfeit copy. That answer comes up at pretty much any time you could remotely press F1.
Try it yourself... uh... well, maybe not right now.
Re:Well, at least the important keys still work. (Score:5, Funny)
User: So what'll happen?
Tech Support: That's just it. We don't know. Maybe something bad. Maybe something good. I guess we'll never know, 'cause you're going to guard it. You won't touch it, will you?
F1rst (Score:3, Funny)
F1rst
Re: (Score:2, Funny)
Fa1l.
Yet another reason (Score:3, Insightful)
This is yet another reason why MS' idea of a tax to deal with malware tax is stupid.
Re:Yet another reason (Score:4, Interesting)
Don't press the F1 key? Jesus fucking christ. What next, don't power up the box?
Re: (Score:3)
Actually if you look at security advisory number ....
Re: (Score:2, Informative)
What next, don't power up the box?
That's actually a pretty good way to secure a Windows box. That or forgetting a Linux live CD in the drive (and have the system boot from CD first).
Re:Yet another reason (Score:5, Funny)
(Coming from someone who just spent 10 hours removing the Internet Security 2010 trojan malware [bleepingcomputer.com] from his wife's computer.)
Re:Yet another reason (Score:5, Insightful)
This is yet another reason why MS' idea of a tax to deal with malware tax is stupid.
It's almost amusing that a Web browser is so tightly integrated with the operating system that scripts run by it can influence core system functions without actually rooting the machine. I guess this is what happens when you ignore decades of computer security history and discard the principle of least-privilege. Hopefully Windows 7 (and Vista) is not defective enough to allow a userspace application to screw around with a built-in OS function like help files.
Look, if we're honest, the only reason why IE is so tightly integrated with the OS in the first place is because Microsoft wanted to abuse its desktop OS monopoly by using it to dominate the browser market. If not for that, IE would be a standalone browser and would be separate from any built-in HTML rendering that's part of the core Windows system, like help files in this case. This is one reason why I use Linux: Microsoft obviously cares about its marketshare more than my security, and I cannot in good conscience use my money to support a company with such backwards priorities. I'm sure someone will chime in with talk about how useful Windows is, and I won't argue (much) with that.
This is really a moral issue. Anyone with decent principles wouldn't want to reward a company with such questionable business practices, not even if they made the finest software available. I'm sure the rest of you who don't have such principles will have a million excuses for why you continue to support Microsoft with your wallets, and that's fine. Every dishonest organization has its useful idiots without which it could not continue existing.
Re:Yet another reason (Score:4, Insightful)
You do realize that KDE, for example, also uses the same HTML component - KHTML - for both its standalone browser, and help system (and many other things)? I'd expect OS X to do the same with WebKit. Gnome is different, but mainly because of the mess they made with GtkHTML vs Gecko vs WebKit; the long-term plan, as I understand, is still to migrate to WebKit for everything.
It's also purely a matter of practicality - I mean, why would you have two distinct HTML renderers?
Re:Yet another reason (Score:5, Interesting)
The same HTML rendering component I can understand, but in this case it appears a script running in a web browser instance of the component can somehow affect the help rendering instance, and that is a quality WTF.
Re: (Score:2, Insightful)
Quality-wise it's clearly a defect, but GP was ranting about it from some moral "evil monopoly" perspective.
Re: (Score:2)
You do realise that KDE and Gnome are not operating systems? "OS X" is also not an operating system in the typical sense of the word; it has Darwin [wikipedia.org] under the covers, responsible for managing all the hardware and important functions like permissions, ensuring that the core system can't be hosed when an rogue application is somehow allowed to be run as a user.
It is comforting to know that if something goes wrong on Linux or OS X (or similar), that the problem is almost always limited to only a single 'user'
Re:Yet another reason (Score:5, Insightful)
You do realise that KDE and Gnome are not operating systems? "OS X" is also not an operating system in the typical sense of the word; it has Darwin [wikipedia.org] under the covers, responsible for managing all the hardware and important functions like permissions, ensuring that the core system can't be hosed when an rogue application is somehow allowed to be run as a user.
Guess what? Windows works in exact same way. There's the kernel there, then a set of userland APIs on top of then, then the UI layer, and finally the actual DE. Just because they are shipped in a single box, and aren't explicitly marked as separate, and given funny-sounding names, doesn't mean they aren't there.
Do you seriously think that NT kernel somehow uses IE under covers?
It is comforting to know that if something goes wrong on Linux or OS X (or similar), that the problem is almost always limited to only a single 'user' account
It depends on your definition of "something goes wrong". A privilege escalation exploit has the same problems on any OS, and without one you can't break the system on modern Windows versions (speaking of which, note how Vista/7 aren't vulnerable in this case), either - user account security is not fundamentally different in NT compared to Unix.
Oh, and this isn't what is usually understood by a privilege escalation vulnerability - it doesn't give you root or anything. It's rather a sandbox breakage - scripts which should be executing in a browser sandbox "leak out", and run with all privileges of the user interacting with the machine.
Re: (Score:2)
No, actually I still think it's a great idea. I would just paperclip to it that the actual culprit gets to pay when the shit hits the fan. If I'm to blame, I pay. If MS is to blame, they pay.
Just tell me early enough so I can make sure to dump all MS and Adobe stock I might have.
F1! (Score:5, Funny)
F1!
I need somebody!
F1!
Not just anybody!
F1!
You know I need someone!
F1!
Re: (Score:2)
If you start me up I'll never F1
If you start me up
If you start me up I'll never F1
Re: (Score:2)
"You make a grown man cry"
So true :-)
Only MSIE users (Score:3, Insightful)
Any XP user still using Internet explorer probably hasn't a clue that F1 does anything at all.
Re: (Score:3, Interesting)
Re: (Score:2)
Re: (Score:2)
Really? What could possibly tie you to IE6? Even Microsoft has STRONGLY recommended you move on.
Or as Buzz Out Loud says... (Score:2, Funny)
MS was concerned about how this was exposed? (Score:5, Insightful)
I find the idea that Microsoft is angry at the people who found a problem in Microsoft software not telling Microsoft about it hilarious.
Re:MS was concerned about how this was exposed? (Score:5, Insightful)
Re: (Score:3, Interesting)
It does not. It minimizes potential damage to the brand, so the vendor can decide if it's worth their while to do something.
Better they sell it on the black market than they use it quietly. Moreover, if there's a market, then it's worth something and "g
Re:MS was concerned about how this was exposed? (Score:5, Insightful)
Angry or not angry, the point is that disclosing security bugs directly to the vendor first minimizes harm to end users - assuming, that is, the vendor feels sufficiently motivated to fix the bug. You can't argue that "security researchers" who sell 0-day vulnerabilities on the black market are helping anybody but themselves (not that Prodeus fits this description).
I frequently hear this type of reasoning. It should be listed as a known/cataloged talking point so we can all absorb it once and move on, instead of seeing it rehashed every time this sort of discussion comes up. Sorry but old and well-worn arguments aren't contributing much. They don't have much power to convince anyone who doesn't already subscribe to that viewpoint.
What I don't hear so much about is the incentive provided by full public disclosure. If you know that security vulnerabilities will be disclosed to the public, that this will result in security problems for your customers, that it will cause public humiliation for your company, is this not a strong incentive to secure your software in the first place? Confidential disclosure to the vendor only seems like it lets them off the hook a bit too easily. I'd normally be slow to view it that way, but Microsoft has a long history of such problems despite having tremendous resources it could dedicate to proactively eliminating them. They have the expertise, they have the money, they have the ability; what they lack is the will. There's simply no excuse for allowing a browser to influence bulilt-in OS functions. I view this more like negligence on Microsoft's part and less like an unforeseeable event that could have happened to any vendor.
As far as causing the least harm to the end users, should we be concerned about this in the long run? In the short term this can be quite unpleasant, and I don't enjoy the idea that someone who just wants to get their work done might have problems because of something beyond their immediate control. But it's not entirely beyond their control. Microsoft could not possibly exist were it not for the users who purchase its products.
When its products malfunction in preventable ways, they make the Internet a worse palce for everyone. I may run a relatively secure *nix machine, but I can still receive spam e-mail delivered by compromised Windows machines. So can everyone else. Since the situation could not possibly exist if not for Microsoft's users, is it really an injustice that they catch some flak when the entity they keep financially supporting fails to do its job? If they dislike this, should they not be a bit more careful about how they vote with their wallets and for whom they vote? I know the victim mentality is popular these days, but if you either know or could have known what you're dealing with, and continue to behave as though you do not and cannot know, should you cry fowl when there are negative consequences?
Microsoft has a long history of problems like this. Anyone who deals with them and doesn't know that has simply failed to do their homework. The real "accomplishment" of Microsoft is that they, through their widespread presence, have convinced the general public that exploits, malware, and other security problems are a normal part of operating a computer. I'm not claiming that Microsoft's products are without merit; if they were, even the non-technical masses would not use them. I am merely skeptical of any notion that their positive contributions to this industry have outweighed their business practices and their negative contributions to this industry.
Re: (Score:3, Funny)
should you cry fowl when there are negative consequences?
Certainly not. That would be ducking responsibility.
Re:MS was concerned about how this was exposed? (Score:5, Insightful)
Sheesh, blah blah blah. What your parent said isn't a talking point. His point was much better than yours in less words. All a researcher has to do is notify MS. Give them a reasonable amount of time that you clearly specify(say a month) and then publicly disclose it. Your disdain of MS shouldn't erode your common sense.
You have failed to address the issue I raised.
If its users were more discriminating and more willing to expect quality, I would have no reason to disdain MS. You act like any disdain on my part is an opinion or a matter of taste, and not like MS has soundly earned it.
Microsoft is a business. That means they will tend to do whatever makes them the most profit. If selling garbage makes profit for them, then they will sell garbage. If no one is willing to buy garbage, then they will be forced to sell quality. Therefore, Microsoft does whatever its paying customers are willing to put up with.
The point I raise, to restate it for you, is that this multibillion-dollar company with many highly skilled employees has both the expertise and the resources to design their systems in such a way that they do not suffer such vulnerabilities. They don't do this because they can profit without doing this; therefore, why would they go to the trouble when more effort means more expense? They can profit without doing this because their paying customers will tolerate insecure products. They think malware and other system compromises are an inherent aspect of owning a computer. If people who hold this false belief and use their money to support a vendor which caters to this false belief suffer because of this false belief, why should that trouble the rest of us? Are they not reaping what they sow?
Those of you who believe in confidential, discreet disclosure are implying that the effects on the customers should trouble the rest of us. I'm willing to entertain the idea, but to do that I need someone to tell me why Microsoft's customers are not merely reaping what they have sown. You have not addressed this. If you would like to, I'm all ears, but attempting to tell me that Microsoft's security history is irrelevant, that it's unfair to consider its business practices and priorities, or that I should ignore the fact that they have both the knowledge and the resources to deliver more secure products will never work with me. Please save that and your "blah blah blah" handwaving for the pushovers who are impressed by your assertions. As for me, I deal in facts.
Again, if you would like to actually address any of the issues I have raised, I'm all ears. The fact that you dislike my opinions has been noted, but does not constitute a worthy response.
Re:MS was concerned about how this was exposed? (Score:4, Insightful)
It does sound "tired" and I appreciate that you are up-front enough to concede this, but in the same spirit I can admit that it's not unreasonable to wonder it. Still, I have a simple issue with this argument. While it has nowhere near the marketshare of Windows, there are still millions of Linux computers connected to the Internet. Compared to Windows, a disproportionately large number of Linux machines are beefy servers with large amounts of bandwidth. If they were as easy to take over as a home user's Windows machine, they would be more attractive targets. Yet there are no successful viruses or other self-replicating malware programs for Linux in the wild. There are proof-of-concept viruses, but they do not propagate on the Internet.
My disagreement here is that you don't need to prompt the user or enable any highly exotic verification to prevent the exploit that is the subject of this article. All you need is some decent sandboxing. Yet one of the most powerful, resourceful, and well-staffed software companies in the world failed to implement it for this version of Windows. Something there does not add up.
In my opinion, you are engaging in quite a bit of hyperbole there. On my Linux system, the "help" function (in my case, a part of KDE) is implemented by binary executables that are owned by the root user while readable and executable (but not writable) by the user who is running them. Firefox, which runs in a similar fashion and also has the privileges of my normal non-root user, cannot affect the KDE online help even if it wanted to. This is an example (and not the best one) of the principle of least privilege. Firefox doesn't need to have the power to modify other parts of the system, so it has no such power. Simple.
There's no need for me to enable any extra confirmation dialogs, or anything else in order to achieve this. I simply enjoy it as part of the fundamental design of this operating system. I have a very hard time believing that one of the most well-funded, well-staffed software companies the world has ever seen was not capable of either matching or surpassing this level of robustness. This was already a standard feature of Linux before XP was released. That isn't the sort of "innovation" they keep talking about. It's more like a bad job of playing catch-up now that more recent Windows versions have improved in this area.
Windows is not merely the low-hanging fruit. It's more like the pre-chewed fruit that is already partially digested. Perfect security is of course not possible. But if you want to eliminate all the large botnets and spam networks, that's easy: make Windows security strong enough that automated attacks will not compromise it. Make it
Re:MS was concerned about how this was exposed? (Score:4, Informative)
It does sound "tired" and I appreciate that you are up-front enough to concede this, but in the same spirit I can admit that it's not unreasonable to wonder it. Still, I have a simple issue with this argument. While it has nowhere near the marketshare of Windows, there are still millions of Linux computers connected to the Internet. Compared to Windows, a disproportionately large number of Linux machines are beefy servers with large amounts of bandwidth. If they were as easy to take over as a home user's Windows machine, they would be more attractive targets. Yet there are no successful viruses or other self-replicating malware programs for Linux in the wild. There are proof-of-concept viruses, but they do not propagate on the Internet.
It comes down to target market. The people running Linux servers are qualified administrators. Linux servers are generally role specific. They probably only have a few apps running on them. Unless a network is being run by someone without a clue, Windows servers aren't getting taken apart by driveby downloads. The exploits are happening in one of two cases. Either internal users are leave the secured network and hitting compromised sites, or social engineering-esque exploits are coming in through the mail system, IM, etc.
You brought up Linux servers and then jumped sidways to talk about home Windows boxes. What are we talking about here, apples or oranges? Servers or workstations? What percentage of the Linux boxes are all running a uniform kernel and distro? Where are the consistent apps on every platform? Think like a malware writer for a second. Think like someone trying to find where in RAM an offset is going to be living. Think of an infection vector. What are you aiming for on Linux? KDE? Gnome? X? What revision? Be a serious for a second. If you know enough to write exploit code, what pool are you aiming for? Where you are going to focus the limited time that you have?
Think about the real world. Movie-esque financial heists where you clear millions of dollars out of a compromised system don't happen (unless you work for Wall Street, and then it's legal). Real world fraud is done with compromised credit cards and bank accounts. That data is swapped across the web and kept in Quickbooks. It is locked up in bank websites that have easy to intercept (on a compromised system) authentication mechanisms. If you were going for money, where would you go? Windows, or Linux? Fraud is a numbers game. System cracking is mostly automated. You find an exploit, write a bot and start scanning for the vulnerability. Out of any given Class B block, what percentage of IPs are Windows boxes? What if you're targeting Charter, Time Warner or Cox?
It all comes down to the users, and the numbers of them. It takes time to write an exploit. If you were to roll out 450,000,000 Ubuntu 9.10 workstations with the same web browser and mail client and give them to the general public, you'd have exploits. You'd have exploits if the general public were storing data that thieves cared about. You'd have "Linux Antivirus 2010" the first time someone figures out how to trick a user into downloading a script that resizes their desktop, or randomly changes a .conf file. From there how long until a user "clicks here" on the identical to Canoncial's system message themed dialogue to fix it? How long do you really think it would be before someone finds where Thunderbird or whatever client you want to load with Ubuntu stores its address book? Does Ubuntu desktop even have ufw on by default? I know I had to enable it myself when I loaded 8.04 LTS server. What would stop someone from kicking off an smtpd process, or loading some code to piggy back on Thunderbird?
Arguing Linux versus Windows in the hands of John Q Public is sort of like trying to prove or disprove God at this point. We don't have a large enough sample size to make definitive statements on. IMO, human nature doesn't go away because people use different OSes. The
Re: (Score:2)
Re: (Score:3, Insightful)
Bullshit. When you find a security issue in a piece of Free Software, you feel compelled to fix it. You can fix it and submit the patch (and get the credit for it) without leaving your desktop. Everything is there. do a svn checkout, fix, commit. That's all. People will thank you, and you'll feel great.
When you find a security issue on a microsoft product, you have to:
Find a way to report the bug. You know, it's not simple ... contacting someone in there is impossible. you can send an email and blindly wait
Re:MS was concerned about how this was exposed? (Score:4, Interesting)
Angry or not angry, the point is that disclosing security bugs directly to the vendor first minimizes harm to end users - assuming, that is, the vendor feels sufficiently motivated to fix the bug.
IN A TIMELY MANNER.
You forgot the bit that's at the core of the disclosure debate. Virtually everybody in the security industry agrees on the principles of disclosure. All the flames are over the timing.
In one corner, we have Microsoft. They appear to believe in full disclosure, once the disclosure will have no adverse effects on stock price or profitability.
In another corner, we have a tiny handful of scum sucking, mercenary security researchers who believe that disclosure will happen just as soon as they get paid. And the terms of that disclosure will be whatever the purchaser wants.
In the other corners, and carpeting the entire floor, are all the rest of the security community. They believe that full disclosure must happen in a time-frame that minimizes damage to the user community. They just can't agree on when that might be.
This lack of a concensus has made it easy for Microsoft to define the current terms of disclosure. The result has been suppression of disclosure for longer and longer periods. The inevitable consequence is more and more '0' day exploits.
In September 2009, SANS released an excellent State-of-the-Internet on the top cyber security threats: http://www.sans.org/top-cyber-security-risks/ [sans.org] One of their points was:
"World-wide there has been a significant increase over the past three years in the number of people discovering zero-day vulnerabilities, as measured by multiple independent teams discovering the same vulnerabilities at different times. Some vulnerabilities have remained unpatched for as long as two years."
To demonstrate this issue they enumerated the history of MS08-031:
For example, MS08-031 (Microsoft Internet Explorer DOM Object Heap Overflow Vulnerability) was discovered independently by three researchers. The first researcher submitted remote IE 6/7 critical vulnerability on Oct 22, 2007. A second independent researcher submitted the same vulnerability on April 23, 2008. A third independent researcher submitted the same vulnerability on May 19, 2008. All three submissions outlined different approaches of auditing and finding the same vulnerability.
What goes unstated is while 3 'responsible' researchers disclosed to Microsoft and waited and waited, unknown numbers of hackers also discovered the vulnerabilities and exploited them.
Just this week, a dozen well managed, fully patched, WinXP (with .NET installed) computers at my institution were compromised by clicking on a major news site (http://www.ksl.com/index.php?nid=148&sid=9814436).
Microsoft would have us believe that this is acceptable. But really, would immediate, full disclosure be any worse?
Miles
Windows Help F1 (Score:5, Informative)
Re: (Score:3, Funny)
Wishful thinking (Score:5, Insightful)
"Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed."
Call me a cynic, but I've got to be honest: The net effect may be positive, but I don't believe that Microsoft's idea of 'responsible disclosure' results in high priority investigation and timely patching of MS products.
F1 key? (Score:3, Insightful)
What you really don't want to press is that cursed, evil POWER key. You know, when you're trying to find the Page Up ke
Not such a bad advice (Score:3, Funny)
Re:Not such a bad advice (Score:5, Insightful)
I have yet to stumble upon a helpful help page in Visual Studio 08. Usually a search with Google ends up faster on a relevant MSDN page than pressing F1 in VS.
Interesting enough, it is also more relevant than a search inside the MSDN or using Bing. You usually do NOT find the same MSDN content as quickly within MSDN or with Bing, but instead get offered pages that try to cram some MS-interface down your throat. Maybe nice if you're programming with that interface, but utterly useless if you're using C++ instead of whatever web-aware magical brewitup crap MS tries to push currently.
Re: (Score:2)
I never buy this line of reasoning. I think the VStudio MSDN help is a lot easier, especially when you want to learn about 50 different methods all in a couple of seconds. Online, it requires 50 different page reloads. In the MSDN help, the pages load instantly. I guess I always use the index - the search itself is useless. Must be because I've been using it for a bazillion years.
I rememeber when the first MSDN was just a bundle of KB docs, and they put a little index on it. Boolean searches! More po
Re: (Score:2)
Unless you count MS's development tools; the online help there is excellent. Forget the order of the parameters for REPLACE() in SQL? F1 takes you right there.
Does it affect Firefox on XP? (Score:3, Interesting)
I thought it said 'don't press the 'F' key'... (Score:5, Funny)
Re:I thought it said 'don't press the 'F' key'... (Score:4, Funny)
This is ridiculous (Score:2)
Re: (Score:2)
No, if you are using Firefox, the VBScript that triggers the exploit will not be run.
(I guess the exploit is still there, but I'm not sure how it is going to do anything, as the trigger requires malicious code to be loaded into IE, and then the user needs to press F1 while the code is doing its thing)
To read the rest of this article... (Score:5, Funny)
press F1 to continue.
Re: (Score:3, Interesting)
Opens new doors... (Score:3, Funny)
I cannot think of a better way to spread this (Score:3, Insightful)
Having seen the average MS help file... (Score:3, Insightful)
...you're not losing all that much.
Damn! (Score:3, Interesting)
I'll have to stop missing the ESC and ~ key!
Most annoying thing: press F1 in a software like Visual Studio and have to wait 5 minutes for it to refresh online help.
Microsoft Interview (Score:4, Interesting)
Needless to say, I turned down the job offer. It doesn't surprise me how they keep making flub ups like this when the people at their company are so arrogant.
don't worry! (Score:4, Funny)
Oops! (Score:2, Interesting)
I hit F1 by accident at least once a day trying for the Esc key.
Disabling help svc is an early part of install (Score:4, Informative)
Advisory is not quite right (Score:4, Insightful)
You're welcome.
Best way to stay trouble free on Windows? Don't use IE. Or Outlook. Or IIS.
Better to just not press any keys in Windows XP (Score:4, Interesting)
If you are still using XP at this point, who cares? Go for it. Press F1 while running FlashPlayer and Acrobat and IE6 simultaneously. If you gave a shit or had any data worth protecting you'd already be using a Mac or other Unix.