New Windows Vulnerability in Help System

wesleyt writes "CERT announced today a significant Microsoft Windows vulnerability related to IE and its handling of the Windows help subsystem. There are currently no patches available and no virus definitions for the major scanners. As well, exploits have been reported in the wild. Because the vulnerability is in the help subsystem, even users who avoid Outlook and IE are vulnerable, since IE is the default handler for help files. It seems that this is going to be an ugly one."

MS

[Fredbo]

Microsoft is in some serious need of some help on this...

Horrible

[S.I.O.]

> and no virus definitions for the major scanners

Jesus, even my ScanJet is vulnerable?

Re:Windows has problemss...

[Anonymous Coward]

that was hysterical. bravo

Not a problem...

[Raynach]

Pfft, using help files for Windows?? And this is /. news??

I'm a man, therefore I use MAN pages when I need help. ;)

Re:Not that big of deal

[baryon351]

As a mac user I'm just glad that our beleaguered platform that's now full of trojans has a competitor and hopefully this upstart Windows will take some of the attention away. phew!

Re:Not a problem...

[Rosco P. Coltrane]

I'm a man, therefore I use MAN pages when I need help.

Tell me, do you also happen to use gimp?

Re:Privilege level

[h2odragon]

if i have to re-educate my users to be aware of security, i may as well re-educate them to a better thought out environment.

To extend the lock metaphor well beyond any rationality: i'll teach them to use keys instead of a "dance and sing" ritual... "you have to log in as root to do this and that" instead of "you have to right click and selct this, unless its september or a full moon when you have to double click here and then do this that and this other step; except for full moons during september when you have to sacrifice a blue goat at 11:13pm PST using a 14 inch Stihl chainsaw".

well

[circletimessquare]

i loaded up ie, went help... contents and index... search... and typed in"help subsystem vulnerable" and hit list topics

a pop up box announced "no topics found"

so what is everyone talking about? this doesn't seem to be a problem

mean trick

[Ruliz Galaxor]

this is probably some kind of mean trick from mister Linus to discourage the use of Windows. I don't believe in this vulnera...

hey, where did my files go?

Going to be!?

[shad0w47]

It seems that this is going to be an ugly one. I always already thought this IE thingy was an ugly one, even without this bug?

I wonder...

[Ruliz Galaxor]

how to format my harddisk. Maybe Windows-help can provide me with some support. *clickety-click*

sig(h)

WAIT!!!

[The Ancients]

we haven't finished talking about the OS X security hole. Damn MS always has to get market dominance in everything they do...

Re:MS

[netsharc]

"It seems like you're trying to exploit a security hole. Would you like help?"

Again? This is the last straw.

[tekrat]

That's it! I'm buying a Mac!

"The more I use Windows, the more I love my Commodore 64"

Re:Windows has problemss...

[MrLizardo]

A perfect illustration of how much things have changed in a couple years.

Example: UT2004. Put the CD in. In your file browser click on the CD-ROM drive, then click on linux-installer. No need to be root. All recent Linux distros have support for 3D cards, and sound from the first time they boot. Hardest part of the install: Where did they hide the #$*&ing CD-key?! I'll be the first to admit that Linux has been far from newbie friendly in the past. Getting my sound card and my modem to work at the same time took nearly a month the first time I installed Linux in 1998 (Granted Windows had trouble with them too. ISA-PNP was one thing I'm glad to have seen die long ago.)

Now for Windows Zealot (sequel to Linux zealot)
User: How do I get UT2004 to install on Linux?
Windows Zealot: Its sooo hard. You have to put the shiney disc thing in the drive thing...And you have to put it in picture side up! That is so ghey. It took my like 2 hours to figure this out and the whole time Linux was going "There is no disc in the drive!" The instructions didn't say anywhere you had to put it picture side up! If Linux is so advanced why doesn't it support putting the CD in both ways? Anyways after I got the disc in right I had to actually click on the CD icon that showed up, the click on the installer. Then I had to click next like 4 times. I'm not even kidding! Then it gets to the end and it didn't ask me to reboot, it just tried to start the game! So I quick hit the power button and rebooted a couple times to make sure it installed right. It was tough. Linux is too hard for anyone but advanced users like me.

User: How do I get UT2004 to install on Linux?
Windows Zealot: Well first you have to make sure that you have the latest version of DirectX. You need DirectX 9.0b summer release*, then you need to get the latest drivers for your video card, unless you have an nvidia card, in which case don't get the latest get the 4491.4594.2223 drivers, get the 4491.4594.2218 drivers. The 4491.4594.2223 drivers don't support the color blue. Then reboot. Then make sure you have the latest drivers for your sound card. Just look in Start->Settings->Control Panel->System->Hardware, click on the Devices button, then look for the chipset of your sound card, then search on google for their website. If its in Taiwanese, Japanese or Korean learn that language first so you can understand the website. Download the drivers, then reboot. put in the disc picture side up, click next a whole bunch of times, click finish. Reboot for no apparent reason even if the installer doesn't ask you to. Then start the game. If there's a problem with the copy protection being incompatible with you CD-ROM drive, then you can't play the game. See, easy!

OK, so I made up some stuff about the nVidia drivers not supporting the color blue. But I did not make up DirectX 9.0b "summer release." My friend in a Windows programming class ran into that trying to get a DX dev environment setup. There is a DirectX 9, 9.0a, 9.0b, and 9.0b summer. It turns out that naming things with numbers, letters and seasons must be the most user friendly practice out there. After all MS is doing it. Some simple Windows things don't make sense to us Linux heads.
Flame on!

-Mr. Lizard

Ha! You Linux zealot!

[jotaeleemeese]

There you are, all your user friendliness rubish, that Linux is ready for the desktop.

How would Joe Average, Jose Sixpack, Aunt Tillie, your Mom, my Mom, Granma, Grandpa, the children, would react if faced with such arcane, incomprehensible instructions.

In Windows everything is easy, In Windows everything is one click away.

You Linux zealots are the sux0r.

Re:Horrible

[Patrik_AKA_RedX]

That depends: How long has it been since you last used a strong desinfectant to clean the scanner? If you don't do this before every scan, you might end up digitizing a virus. God knows what would happen if someone would accidently scan the AIDS-virus.

Prevent virii, sterilize you scanners before use.

Re:start the stopwatch...

[Anonymous Coward]

He's been busy trying to get that damned virus off of his machine.

Re:Afraid

[SnowDog_2112]

I don't know about the rest of you, but things like these are actually scaring me out of running Windows.

If you stop using windows, the terrorists have already won!! :P

Re:Windows has problemss...

[Salsaman]

It turns out that naming things with numbers, letters and seasons must be the most user friendly practice out there.

If this trend continues, their product names will soon be haiku.

Microsoft help?

[kpogoda]

Isn't that an oxymoron? I was reading an interview the other day that Gates has shifted the company's #1 priority from Longhorn to security. This is another major blow for Microsoft. But, since when has the help menu actually ever been useful anyway?

Big threat? Not really

[Junior J. Junior III]

Considering how seldom the idiot^H^H^H^H^H^H users actually use the help function whre I work, it shouldn't be a problem. It seems they regard the IT Support "Help Desk" as their first place to look when they ought to be using the online Help function in that seemingly invisible menu at the right side of their window.

In Linux-land...

[gosand]

Imagine teaching your mother to use one account for installs, and another for her email and browsing, then throw in some stuff that will only work under admin and you'll quickly see where this goes.

Somewhere in Linux-land, a phone rings....

Hello? Oh, hi mom. Yeah, I can help you install a program on your computer. What do you want to install? Oh, cool. Have you downloaded it? Good job. OK, open up a terminal.... it's a command line interface, where you type commands. Much more powerful than a GUI. Where did you save the file? You don't remember? Hmm. Just type "cd". Now type "ls". Do you see the file name? Great! OK, type "tar -zxf "

It didn't work? What does it say? OK. What is the name of the file you downloaded? Oh, well, that is a bzip file, not a tar and gzipped file. So type the same thing as before, but use "bzip2" instead of "tar".

What? Why didn't it work? Oh, it doesn't have the same syntax. Crap. Go to the man page. Oh, man stands for manual. Type "man bzip2". What does it say?

(20 minutes later)

OK, now we have uncompressed the files you need. No, not yet. Type "./configure" No, it's OK, it is figuring out what kind of computer and software you have.

OK, now type "make" OK, call me back when it is done.

(15 minutes later)

OK, now type "make install" What? Why not? What does it say? No, not that. Oh, wait, you have to be root. It is an administrator user.
Because not just everyone can install programs, for security reasons. Look, just change to the admin user by typing "su". OK, now enter the root password. I DON'T KNOW! You mean you don't know your root password?

(10 minutes later)

Mom, you should NOT use the dog's name as the password. Because it is insecure! Nevermind. Just type "make install". There. Now it is installed.

No, there is no icon, you have to type the name of program to run it. Type it. What? I don't know, what was the name of the binary after you compiled it? A binary file is a program you run. You compiled it when you typed "make". Hmm, let's look in the Makefile. Type "vi Makefile". What do you mean it is blank? Oh, wait. Use capital M. Type ":r Makefile" with a capital M.

OK, now you are in vi, the most powerful editor ever. WHAT DO YOU MEAN YOU PREFER EMACS!!!!

Re:Microsoft help?

[Bambi Dee]

But, since when has the help menu actually ever been useful anyway?

It allows completely innocent newbies to access the Microsoft newsgroups where they might run into "MVP"s with psychic powers who'll help with problems like "im on the computer then erro comes up". I have no idea how they do that.

Re:Actually, mac users haven't had a virus yet

[5.11Climber]

What's a floppy??? Don't they have pills or something to fix it??

Re:Windows has problemss...

[gotw]

Linux is *not* user friendly, and until it is linux will stay with >1% marketshare.

I was hoping linux would keep its marketshare above 1% anyway.

Meanwhile, in Mandrake-land

[fucksl4shd0t]

Phone rings.

Hi mom. You want to install a program? Ok, what's it called?

Great! Now open a terminal window. It's a command line interface and it's much more powerful than a gui. Got it open? Great. Now you have to become the superuser, so type 'su' and then put in the password.

You don't know your root password? Ask dad.

Ok, great, so now you're root. Now type "urpmi", a space, and the name of the program you wish to install.

It's asking for the CD that contains the program. Put that CD in and follow the directions.

You're done, now? Great! Now just click on your K menu and you should find it under "Applications". You don't have a K menu? You have a little paw. Ok, click the little paw, yes I know it's cute. Found it? Glad to help!