XP2 Spotted In The Wild

LostCluster writes "WinXP SP2 has just been released to the public via Automatic Update, but eWeek and PC Magazine are together reporting that Windows XP SP2's 'Windows Security Center' is just about as insecure as it could possibly be. According to them, any program (including ActiveX controls) can access and edit the Windows Management Instrumentation database, and therefore spoof the security status of an insecure box to report that it is properly secured."

Clippy.exe is eeevvviiilll

[by Anonymous Coward]

any program can access and edit the Windows Management Instrumentation database

That MF'ing Clippy.exe in MS Word better stop accessing my Instrumentation database or I'll punch that SOB into the middle of next week. Really any program can access and edit the Windows Management Instrumentation database; I knew solitrae and tetris and an altier motive.

Programs in the wild

[paranode (671698)]

<steve irwin>
We're out 'ere lookin for signs of the elusive XP2 that's been said to be lurkin' in the wild...

Crikey, I've just spotted a wild paypah-clip in it's natural 'abitat! Look at those big ole eyes an'.. oh!.. there he goes trying to ask me if he can 'elp me!! You see, this creature is what's known as a parasite, 'ee leeches off o' your Windows Management Instrumentation databases. It's 'ard to satisfy one o' these buggers, they'll never leave ya alone until they've done your work for ya.

</steve irwin>

No problem here!

[GroovBird (209391)]

My box says it's insecure! So therefor, I can't possibly have some spoofing ActiveX control thingie, can I?

SP2 - as secure as any linux distro...

[BobRooney (602821)]

if every user were root.

Re:SP2 - as secure as any linux distro...

[Red Alastor (742410)]

And all running the same distro. And all running Internet Explorer with crossover. ;-)

Re:SP2 - as secure as any linux distro...

[dasmegabyte (267018)]

And designing new programs from a marketing impetus instead of what people want.

Seriously, this Security Console is a good example. "What if somebody could tell if their machine was secure just by opening a control panel?" That's a very good idea -- but it will take at least a year to develop something like this that actually works well enough to be a part of windows. In the meantime, they shake and bake something so people know they're working on it.

This is the Microsoft equivalent of Sourceforge Development Status 1. It's a dog and pony panel that will undoubtedly be replaced by something good in the future -- but by that time, most of the industry will have lost all trust in it.

Such is the case with IIS 6. It's actually pretty good, according to a lot of web programmers I know, but I just don't trust it -- to the point that I'm considering not using C# for impending web projects despite having a massive C# codebase. MS would have to go VERY far to get that trust back, and make a security leap similar to the UI leap they made from 3.1 to 95 or the stability leap they made from 98 to 2000.

Re:SP2 - as secure as any linux distro...

[bankman (136859)]

And designing new programs from a marketing impetus instead of what people want.

You probably don't know it, but marketing is about giving people the product they want. Unfortunately many companies (and Microsoft is one of them) talk about marketing, but what they are really talking about is advertising.

"What if somebody could tell if their machine was secure just by opening a control panel?"

This statement would be a really bad example of marketing: The company and/or its developers and "marketing" experts sit together and brainstorm without ever actually asking the customer. If they were to ask me this exact question, my answer would be:

"Are you really this insane? I don't want a control panel to tell me whether my machine is secure. I want the machine to be secure, plain and simple. Given MS Windows' (whatever incarnation) security track record, I neither would nor could ever trust any application that tells me the security status of the machine from within. It's probably already cracked, infested or whatever anyway by the time I check it. If history tells us anything, it's that any application can be made to tell me that it is secure."

...but it will take at least a year to develop something like this that actually works well enough to be a part of windows.

I couldn't agree less with you. According to developers who are far more experienced with Windows than I am (IANAP), Windows is insecure by design, no fix or additional security layer on top of the current product will ever make it more secure. The only way to fix it, is to dump it and start from scratch.

This is the Microsoft equivalent of Sourceforge Development Status 1. It's a dog and pony panel that will undoubtedly be replaced by something good in the future -- but by that time, most of the industry will have lost all trust in it.

Many people argue that XP is, while more stable than all previous versions, with the notable exception of W2K, is still in development status and many of its design features are so braindead, that many knowledgable people have already lost trust in it.

IMHO, this is yet another stupid toy to make the casual home user and the boss feel more secure without actually delivering on the promises. If you were to ask them, they would all answer that they want a machine that is actually more secure rather than a having a MS tool that tells them they are. Once they told you, you design a product that is actually secure and does what the customer wants. This is marketing from an academic's point of view.

Its not that bad

[gad_zuki! (70830)]

IE is actually usable for the first time since, err, ever. The extra nag dialogs and the pop-up blocker go a long way towards keeping spyware off your machine. Lets face facts, most people will never stop using IE. They will go to their deathbeds using bundled software. They will never switch to Firefox or Opera. This is the service pack for them.

The nag "Where if your anti-virus" box is a reminder that windows needs an AV program to run properly. I can't stress how important a built-in firewall is, even if it is "weak" its still going to introduce people to the concept of a firewall much more than the old version did. Personally, I dont think ports over 1025 should be blocked by default, but that's just me.

I've been running SP2 since MS released the final version and am pretty pleased with it. XP even feels snappier. It passes the "grandma" test fairly well and like you wrote is a good first step towards securing windows. If it only helps fight spyware installs its worth its bytes in grams of gold. Especially for us techies who get called, bothered, etc for stuff that is completely preventable.

This is really the first step to securing windows for the everyman, if such a thing is truly possible. Soon enough current machines will be replaced with machines with processors which understand NX, thus making the feared buffer overflow much less fearsome.

Even though SP2 is going to cause all sorts of headaches with clients, friends, and family, I'm very optimistic about what it can do to help stop spyware and to a lesser extent worms and viruses. Its a real shame there isn't an equivalant SP for the HUGE win2k user base out there. Seems like the script kiddies will now be focusing on win2k machines from now on.

Re:SP2 - as secure as any linux distro...

[SilentChris (452960)]

"have a look at the "dragging a scroll bar can be used to install and auto-run arbitrary programs" example below"

It drops an executable into the Startup folder for the *user*. In other words, no root privledge is ever exercised, and the app would likely do nothing on a correctly-configured box (the worst malware can do running as non-root is wipe a user's directory -- same as in Linux or any other OS with similar permissions). Learn about security before you comment on it, please.

Re:SP2 - as secure as any linux distro...

[10101001 10101001 (732688)]

the main problem is running systems with more privileges than they need.

First, let me assume you didn't mean what you said. What you *did* say doesn't make sense, as the only way for a system to run with less privileges would be for it to not even have a System Administrator account while leaving some other system with that authority. That sort of top-down authority over PCs seems quite out there for all sorts of reasons.

So, lets assume you mean "the main problem is users running with more privileges than they need". The problem at core then is *why* they run at higher privilege than necessary. Part of the reason is that Run As and the like are not inconvenient and just not well known. In the process of making the system more "user friendly" Run As and ilk aren't at all discussed. In fact, users added at install are given power user (which can do all sorts of nasty things to applications) or administrator power.

For the complete naive (or to overcome various limitations to Windows sessions, like not being able to do persistent apps in the background (dialup users on at least Win 2k (and possibly Win XP, though having not used it in that capacity I couldn't say), you know what I'm talking about)), this means having one account open either all the time or possible on auto-login. For the less naive (or users who can figure ways to overcome the limitations of Windows), you'll create multiple users, but then all users can still screw up the entire machine with *anything* they run. Yes, physical access does mean you can 0wn a box, but like you pointed out with so many buggy programs it also means very much that non-physical access can 0wn the box too.

My point in all this is, even users who *try* to do some security are still fucked over thanks to MS opting for ease of use and "usability" over reducing privileges, finding a better way to have someone admin the box (and watch users flee when they realize they have to do work; oh, but it's better to go under the MS banner of low/no maintainance, turn a blind eye to the reality that most PC software needs maintained, then moan to all your techie friends that your computer is so slow, keeps crashing, etc), and teaching the user how to run the few necessary programs in "less-secure" mode (anything automatic short of extensive hashing will end up being spoofed and exploited all over, so it's better to rely on the user) while making sure Windows itself is actually designed to handle multiple people using a machine.

But, all those stack protectors should slow down those hackers, hopefully (well, assuming they're done at runtime in a staggard approach to avoid a whole cluster of near-identical hardware all producing the same value; the last thing you want is something predictable), which is at least some small consolation for those who actually update their machine...

Re:SP2 - as secure as any linux distro...

[dotcher (761759)]

You're right, I wasn't as clear as I should have been - "users running with more privileges than they need" is indeed what I meant.

I'll grant that some of the Windows defaults are appauling, security-wise, and creating users as Administrators is part of that. Microsoft are making an effort to advertise features like Run As, though - there's a topic in XP help explaining why running as an Administrator is a bad idea, for instance.

(That said, I've no idea how many people actually read it, of course).

The point I'm trying to make is that any system with uneducated administrators is going to have security problems, sooner or later. Most Unix users tend to do their research and understand why running as root is a problem, as do the application developers. If your applications will run fine as a normal user, then people will run as a normal user.

That doesn't apply as strongly in the Windows world - people are much less likely to do any security research, and application developers do have a tendency to make it harder for people to run as a user. That's beginning to change, though - the current guidelines for the "Designed for Windows" logo on software include a requirement that software runs correctly as a non-administrator.

Hopefully, the next release (be it a SP3 or Longhorn, should it ever be released) will concentrate on the user education side of things, and make it easier to do the right thing with regards to least privilege.

Leave it to microsoft

[Nos. (179609)]

To build in a security overview system and leave it wide open so that its easy to fake the current status of things like your firewall and anti-virus.

Internet Meltdown Predicted for Today

[Cocodude (693069)]

So this is what the Internet Meltdown Predicted for Tomorrow [slashdot.org] article was referring to!

That's ok

[Bricklets (703061)]

According to them, any program (including ActiveX controls) can access and edit the Windows Management Instrumentation database, and therefore spoof the security status of an insecure box to report that it is properly secured."

That's ok. MS probably wants it to be easy to use so that everyone can use it. ;)

Pseudo Problem.

[vi (editor) (791442)]

If a boxen is 0wned then we can savely assume that the 0wner/w0rm has root access. And with root access it can do anything anyway.
This is like complaining that one can shut down your computer by removing the power plug.

Re:Actually, no...

[BabyDave (575083)]

The reason they say its safer is because they took advantage of the new processor features that allow you to mark a block of memory as "non-executable" thus stopping buffer overrun 'sploits and similar problems. Linux doesn't have this feature.

Yes it does [google.com]

Scary stuff.

[sploo22 (748838)]

Step 1: Go to http://www.mikx.de/scrollbar/ [www.mikx.de]
Step 2: Drag the scrollbar down a bit and let go
Step 3: Start -> Programs -> Startup

That's just spooky.

Re:Scary stuff.

[spellraiser (764337)]

You forgot ...

Step 0: Open IE

Couldn't even drag the scrollbar in Firefox :-/

Then I opened IE and tried it - jackpot. Nice little booom.exe in my startup folder. I have SP2 installed. Good grief.

Re:Scary stuff.

[NtroP (649992)]

Crap! One more site that doesn't work right in Safari or Firefox!

I guess I'll have to switch back to IE.

Incorrectly report, but change?

[iainl (136759)]

I'm seeing reports all over the shop that its easy to spoof the security centre into claiming that (for example) the firewall is turned on when it isn't.

What I've yet to see is any indication that its possible to actually do the turning off of things, which would be rather more serious.

As it is, surely the only problem is if you forget that you turned something off? I've no big plans to make my box insecure now I've done configuring it on installation.

Close it anyway MSFT or stop the default Admins!

[garcia (6573)]

To spoof the Windows Security Center WMI would require system-level access to a PC. If the user downloads and runs an application that would allow for spoofing of Windows Security Center, they have already opened the door for the hacker to do what they want. In addition, if malware is already on the system, it does not need to monitor WSC to determine a vulnerable point of attack, it can simply shut down any firewall or AV service then attack - no WSC is necessary."

Sadly just about everyone runs shit as Administrator (it is the default mode for XP Home installs) to make life easier and as MSFT has noted they are opening themselves up to the attacks... For those that will mention that Linux is so much better remember that these are the same people that wouldn't like to have to change to root (sudo, su, login, whatever) to install anything and would be opening themselves up to the same vulnerability level as if they had been running Windows.

Basically the problem was in design... They should not have had an open API controlling the "WSC" and thus malware would not be able to detect the presence of the programs' status from a single location. The real problem is that MSFT isn't admitting that it is a serious problem and needs to be changed on a different level... Saying that malware writers are going to use the direct route and disable the firewall/AV outright, while true, doesn't get them off the hook for creating this hole that is more difficult even for a more advanced user to notice.

Re:Close it anyway MSFT or stop the default Admins

[grasshoppa (657393)]

There is one subtle difference between linux and window admins: There is a lot of window software that is written to be run as administrator. Finding all the files to give permissions to causes quite a headache.

Linux, I feel, has a better system at the moment. However, as this is the developers fault, I see no reason why linux would be immune from this problem.

UA String any different?

[by Anonymous Coward]

Is there a way to distinguish Windows XP with SP2 from older versions through the User Agent String?

No real surprise

[Arclite (471674)]

Let's be honest. Did anyone really expect SP2 to not need a slew of new patches after release?

Personally, I'm just glad that it doesn't bomb randomly after install. Yet.

Need root?

[randyest (589159)]

No, most user's don't need to be root most of the time. Yet:

While we are not aware of any malware exploiting this, we think it will only be a matter of time. The one mitigating factor that we found is that to change the WMI, and spoof the Security Center, the script has to be running in Administrator mode. If executed in Windows XP's Limited Mode, it will give an error, and not allow changes. Unfortunately, most home users who will be at risk, run in the default administrator mode.

How can we convince people not to run admin mode? It's easy at work, in UNIX land (most people don't get to know root pw.) But most Windows users I know don't even know the difference.

Every windows security problem I know of can be solved, or at least significanly mitigated, by users not running root.

Re:Need root?

[0123456 (636235)]

"Someone please explain to me how this is different than Linux?"

Most programs on Linux run happily as a non-root user. So many programs on Windows force you to run as an admin user that most people who even think about trying to run as a non-root user quickly give up...

I installed it last night

[mrgreenfur (685860)]

I noticed it was up last night to I installed it.

It's 94.50 mb which takes a while to download. Upon installation and restart the new windows security center pops up and trys to get you to turn on your firewall, automatic updates and antivirus software. By default if any of these are off, there's an obnoxious red shield in the system tray. Turning off alerts for these makes it go away.

Otherwise there doesn't seem to be any major changes.

So far nothing's borked.

Send in the Rovers

[MikeMacK (788889)]

Based on an anonymous tip, PC Magazine looked into the WMI and the Windows Security Center's use of it, and found that it may not only be a security hole, but a crater.

Maybe MS could get NASA to send a few rovers in there to see what they can find out.

I don't think anything can be done.

[London Bus (803556)]

To make Windows secure, that is. I know lately that Microsoft-bashing has gone from being the in thing to being "trolling", but it's true. Just because it's become less fashionable to say so doesn't change the fact. I don't understand how Windows users can continue to use these machines. I live in a relatively remote area of Japan, and yet somehow within 4 minutes after hooking up my brand-spanking new machine to the Internet, I started getting Code Red connection attempts and repeated assaults on various four-digit ports. I guess they don't respect geographic boundaries either. By the way, this all happened while I was downloading XP2/SP2. It's not going to help when we don't even have time to install it before getting our machines "owned".

I've always criticised Linux users for being sloppy and the like, but the operating system itself is at least rock solid. It rarely crashes, it has a decent windowing system, and I don't see advisories for it on Bugtraq every 8 hours. Windows is easy to install, but it's all too easy for someone else to compromise. Ease of use is nice, but I think I'll take peace of mind with GNOME on Fedora Core.

Running as admin?

[W2k (540424)]

According to them, any program (including ActiveX controls) can access and edit the Windows Management Instrumentation database, and therefore spoof the security status of an insecure box to report that it is properly secured.

Um .. you sure that's not supposed to be any program that's already running as admin on the box in question? Sorry, but if I was a malicious app running as admin, I would do much more interesting things than tamper with the security center. Not even Linux/OSX/*BSD are secure if you manage to get malicious code running with admin rights. The article got it right (it mentions that the attacking script/app/whatever must be running as admin) but whoever submitted this to Slashdot seems to have missed this tiny, unimportant detail.

The next thing to be said is usually: "But most home users run as admins." (The article also mentions this.) Well, that's not a Windows problem; that's a user problem. Even if Windows forced users to run in "limited mode" (which would cause an outcry in itself - "eek, Microsoft is trying to take away control over our own computers from us"), it also doesn't help that most third-party software for Windows requires admin rights either to install or *gasp* to run. Of course, this is ancient news to everyone with a clue .. nothing to see here, move along.

Of course, even when running as admin, protecting yourself against malicious code is fairly trivial; simply use a firewall (SP2 incidentally includes one), don't run binaries from untrusted sources, surf the web and check your email using something other than IE/Outlook [mozilla.org], use a virus scanner/shield, and keep your apps and OS updated. Again, no news to anyone with a clue.

Re:Running as admin?

[Tom (822)]

"But most home users run as admins." [...] Well, that's not a Windows problem; that's a user problem.

You are oversimplifying. Ask yourself why most home users run as admins. May it be because that's the default? Because XP doesn't even offer another setup option, but hides it well? Or maybe because tons of things simply don't work if you run as a normal user?

Driving reckless is a user fault, yes. But driving reckless when that's how the manual told you to do it and that's what the car was designed for makes it a bit more tricky to properly place the blame.

M$ should make the Admin account anoying to use

[denis-The-menace (471988)]

The only way to make joe user NOT want to use an Administrator account is to make it anoying to use. IE: -Display a NAG window everytime the user launches an application. (Maybe only if the user spends more than 30 minutes in the account) Maybe even make it easy to do some admin tasks easily as a Limited user by prompting for the administrator pw when required like Linux distros do today.

Bad Logic From Microsoft

[catwh0re (540371)]

Judging from Microsoft's response to this issue. (and many similar issues in the past)

They bypass this obvious lack of security as a feature, and that the application is rather to serve as an extra barrier of obscurity to hackers, and not as a solution to the problem (which it will ultimately be marketed as.)

This unfortunately isn't an adequate mentality. Microsoft appear to make the mistake to think that hackers are as technically challenged as their regular home user base.
Yes! certainly a home user wouldn't be able to craft some accidental software that rips a hole through the new security centre features. However, hackers which discover holes in Windows (Without ever seeing the source code.) have the competency to add the extra layers of dodging to their worms. This it at Microsoft's peril, as now worms can fool a system into reporting that everything is fine, in turn fooling the technically challenged home user into also thinking, that their new DDoS server is also functioning without a hitch.

Microsoft needs to understand that hackers are significantly "gifted" in comparison to their regular user base (many of which who'd think Mac OS X is another version of Windows.) They must craft their security devices such that they can not be trivially undermined, and put an end to the assumption that more easily bypassed road blocks lead to greater security.

Cowards at PC Mag

[Sloppy (14984)]

This open door to the security status of a system can be exploited several ways. First, a malicious site could download a file (possibly with the drag and drop exploit discussed in our Windows updates and vulnerabilities section), which could run and access the WMI, monitoring the status of the firewall and antivirus protection.

Holy crap, you're already executing hostile code, and you're worried that MS has added yet another library that it can call? You fucking idiot! It can already write to your disk's partition table, what more are you worried about? A psychotic killer is holding a loaded gun to your head, and you're worrying about the second-hand-smoke cancer-risk from his cigarette. ;-)

People, get a clue: a "malicious site" can't do anything to your computer, unless your box has already been compromised.

PC Mag, here's an idea: tell the users what the real problem is. You damn well know what it is. But you're afraid, because they spend a shitload of money on ads.

Animated dog...

[zxflash (773348)]

If the animated dog says my machine is secure who am I to argue with it...

Re:Can someone answer this question?

[hardreset (775806)]

Microsoft released SP2 in a staggered fashion. First to MSDN subscribers, OEM's, Enterprise customers, etc. Second, SP2 was unleashed to XP Home Edition via Windows Update. Today, they're finally allowing XP Pro users to get the patch. It was intended to allow corporate customers the ability to disable the update to their clients.

Re:Leopard?

[lucabrasi999 (585141)]

Sounds like some sort of leopard in the jungle, if you ask me.

Cue Marlin Perkins (of the old Mutual of Omaha Wild Kingdom [museum.tv] shows):

MP: "Today, we are going to find and capture the elusive XP2 Leopard. My associate, Jim, is armed with a toe-nail clipper and a badminton raquet. Jim, why don't you start marching down that trail over there? I'll be back at the truck with the cameraman and a bottle of scotch."

Re:this is surprising?

[Errtu76 (776778)]

Right. I can only assume you're using Linux now, and I apologize if i'm wrong. So you probably never have to: upgrade your kernel, upgrade applications or do an fsck. If this is the reason why you abandoned windows, it's a silly one. As far as i know, only consoles (Nintendo, PS1/2 & Co.) don't require updates. Everything else does.

Re:this is surprising?

[halowolf (692775)]

Oh XBOXs can be updated. Its the first thing that happens to them when you connect to XBOX Live, and there are more updates after that.

Of course, you can "update" them also with mod chips, but I don't think that that is what you had in mind :)

Re:this is surprising?

[bmj (230572)]

I guess that depends on what you mean by "have to". An out of the box Fedora Core 2 system will work and play just nicely with your email, office, internet, graphics, video, etc. An OOB Windows XP install will only last 20 minutes once connected to the internet.

Out of the box Fedora may work with everything, but at some point in time, security vulnerabilities will be found in some piece of open source software, and a patch will (quickly) be made available. An unpathed *nix machine can be just as dangerous as a Windoze box.

Re:this is surprising?

[DashEvil (645963)]

Hey. I hate Windows as much as the next guy, but if you want to make a compelling argument you should at least be fair.

Windows XP came out in 2001. Do you really need me to tell you that running a RedHat distribution from 2001 would be suicide right now?

Re:I'm sorry, were you expecting better?

[SilentChris (452960)]

This has nothing to do with the base security of Windows. The base nuts of NTFS and the security scheme has been solid ever since it was ripped from VMS. The problem IS the bolts that have been added since then: easily-foiled APIs that have full access to some of the underpinnings when they shouldn't.

Quite frankly, if MS never "innovated", it would be a fairly secure product. NT 3 was practically bulletproof. It's when they started grafting on Win32 junk from 9x, things started to get screwed up. Take off that top layer and everything would be kosher (but a lot less user-friendly)... just like Linux.

Re:I'm sorry, were you expecting better?

[Jeff DeMaagd (2015)]

Wasn't security for UNIX and UNIX-like systems an afterthought? The difference being that it has had decades of work to get where it is now, by companies and organizations that had to make it good, and not just a few years on a product that only has to be "good enough" for consumers.

Re:I'm sorry, were you expecting better?

[Hungry Student (799493)]

That's because you got the network admin version, which has every little bit for every possible system so that admins can customise it for the systems running on their networks. The version designed for single computers is between 50 and 80MB according to how well patched your pc is to start off with. You're right that they're, effectively, rolling out XPv2, but your reasoning's off.

Re:I'm sorry, were you expecting better?

[Vann_v2 (213760)]

That's the network install, which includes every update since XP was released plus code to figure out what version of Windows you're actually running. If you download it from Windows Update it does all that before-hand and only sends you the stuff you need, which makes for a much smaller download.

Re:I'm sorry, were you expecting better?

[AKAImBatman (238306)]

Personally, I would applaud more if their idea of security wasn't so damned screwy. For example, XP SP2 now modifies IE to reject redirects. i.e. If you have a redirect page to forward someone to your new website, IE will pop up an error message and tell you that it won't redirect. To make the redirect work, you have to add the site to your list of trusted sites. Apparently, there is no way to turn off this behavior.

If Microsoft would focus on *real* security like that found in FireFox, OS X, etc., they wouldn't have to put these stupid "security" enhancements in. On the bright side, Microsoft is making Macs veeerrrry attractive to end users.

Re:I'm sorry, were you expecting better?

[danheskett (178529)]

For example, XP SP2 now modifies IE to reject redirects. i.e. If you have a redirect page to forward someone to your new website

META REFRESH is not a good way to redirect people, and furthermore, it's not standards compliant. Allowing META REFRESH to direct users around the web without their consent is deceptive, and a major usability problem for users.

One of the big goals of SP2 was to improve the web browsing experience for users tired of getting hijacked by bad nasty web pages that intentionally use seemingly harmless methods to corral, trap, and frustrate users.

A lot of people use the META REFRESH directive to move them to a new URL once an old one has expired. Even on FireFox/Mozilla this can be used to trap users, enable phishing, and the like.

Better methods when you can addresses is to:

Use server side URL rewriting, like in mod_rewrite or like available in IIS

Display a simple page with a large clear hyperlink and message to update the original link

Display a simple page like above and use a simple Javascript to move the user (unlike META commands, the Javascript can be disabled).

Use the appropriate 3xx HTTP status code and let the client handle the change appropriately

Re:You would think..

[Anaphiel (712680)]

A poster further up the thread has it right: it's nearly impossible to make a software product, especially one as large and complex (and insecure) as XP, secure after the fact by patching it. Security is best designed into a product at every level from the very start.

What Microsoft is doing is analogous to me trying to turn my apartment into a bank:

Initially I just put up a sign that says "Bank" and leave the money lying on my sofa. Then when I get tired of people walking in and taking the money I lock my door. Then they kick in my door, so I get a thicker door. So now they climb in through a window, so I close and lock the windows. They break a window, I put up shutters. They cut through the floor, I lay down cement; ceiling, I add an alarm; they cut the electricity, I buy a generator. Maybe at some point I buy a safe, which works until they pick the safe up and roll it out of a hole cut into my wooden walls. This goes on for years, until eventually I get fed up and move out, and have a building built to purpose that's secure as a bank should be.

Where this analogy breaks down is at some point pretty early on customers would stop giving me their money until I got my act together, where they've shown no intention of doing the same to Microsoft.

Re:This sounds like a typical...

[praxis (19962)]

I would also like to tell my story. I've been a Windows user since 1990, a Linux user since 1995, a SunOS/Solaris user since 1995, an Irix user since 1995, an OpenVMS user since 1997, and an AIX user since 1997. I don't run all of these concurrently anymore but I've administered each of them for quite some time. I keep abreast of security issues in each OS I'm running, even if it's only getting the latest patches. On Windows, I run an up-to-date virus scanner. I had to do a lot more work to secure Linux than I did to secure Windows XP. I have *never*, not *once* had a serious issue with any of my machines running any OS unless it was a hardware fault. By serious I mean anything beyond a virus caught by the scanner or an application crash due to a bug. I may, or may not, help that I don't run any software beyond the business apps I need, a few games, and some IM client. I don't download much software, beyond perhaps putty, Java run-time, and well, perhaps something else. I did, in college witness many people have problems with Windows, and they did not run AVS, used Kazaa liberally, and liked to install little apps that web pages offered. There is no technological solution today that trumps educating users. I'm rambling, so I'll stop.

Re:Please help a Linux Newbie

[Teun (17872)]

They sound like they have the same (or very similar) problem

What do you mean *They*?
It's the same guy Anonymous Coward every time!