IE Download.Ject Exploit Fixed

Saint Aardvark writes "Just in time for the weekend, the Internet Storm Center is reporting that Microsoft is providing a fix for the Download.Ject vulnerability that hit IE late last month. The press statement says that it'll hit Windows Update later today..."

NOT an actual fix

[Anonymous Coward]

It's a "configuration change" to work around the problems that are still there. Many users won't do what they recommend (ie high security) because it'll be inconvenient or "hard."

Got it, but..

[Dynamoo]

Got it, but in the meantime I switched to Mozilla Firefox [mozilla.org] and I honestly don't see any reason to go back to IE apart from a handful of aggressively IE-only sites.

Re:FYI

[quadra23]

This is just another "this will help for now, please wait for the real fix" incident from Microsoft.

I think I lost count at about 1000 when it comes to these "this will help for now..." When it comes to IE most fixes end up as patches that can actually break more than they fix. I think the Dept. of Homeland's Security recommendation of not using IE speaks loud and clear to this.

Microsoft could start but not allowing web sites to automatically run malicious code, just as Outlook has the same tendency with emails (which incidently, most email viruses spread rapidly with).

Loaded terminology...

[Anonymous Coward]

"Late last month"

vs.

"A week or so ago"

I know Microsoft is not one for timely updates, but this wording makes it sound like Microsoft has been sitting on this particular problem a lot longer than they have.

Re:Um

[ViolentGreen]

You can have Automatic Update download and even install things on Windows XP.

While this is great for most home users, a lot of people (including myself) do not do this. I want to know exactly what is being put on my system. I don't need the Euro conversion utility. I don't need windows media player 9. Right now there are 8-10 things that it has wanted to install for over a year that I refuse to put on.

late last month means

[Zed2K]

Late last month actually means June 25th. Which by my count was only 1 week ago. But it wouldn't be a bash microsoft topic without a little twisting and manipulation.

48 Hours

[Anonymous Coward]

Riiiiiiiight....

Re:Got it, but..

[Lehk228]

troll? are you using .7?

IE Features

[johnhennessy]

What use are IEs extra features if they have to be turned off by default.

ActiveX should never have been embedded into a browser in the way it has been. Yet most of the sites that I have to use IE for is because of ActiveX controls.

Microsoft tricked a lot of the world into using ActiveX and now they're paying the price.

I can hear the support conversations already -
"Yes, if your security zone is set to high your computer won't be vulnerable. But if you want to view anything with ActiveX (read: multimedia) you'll have to turn these vulnerabilities back on."

Does anyone else find this mildly insane ?

Re:I have a feeling

[Mishkin]

Well take a look here [asp.net] and see the blog of a windows developer. He really does get upset when people say that MS doesn't care about security.
I am sure you are all aware that windows is a fairly large OS that is designed to be easy to use for novices but allow Power Users to do their thing as well. I think it accomplishes that fairly well. They provide automatic updates to every computer now (if you are not too lazy to turn it on). I realize that this option is turned off by default but this is more because of the people (*cough* slashdotters *cough*) that say that MS will somehow steal all their secrets if you let them install updates automatically. I think MS does a good job updating system.


Also, if I see one more reply to an IE article with the line "Download the patch here [mozilla.com]" rated as "Funny", I will kill myself.

Re:Yippee!

[Anonymous Writer]

It was less than a week, wasn't it?

Nope [netcraft.com]

Re:FYI

[nate1138]

the liability is on YOU if people can't get their work done

Now I call FUD on you. MS's EULA clearly states that they aren't liable for ANYTHING that their software does or does not do. Face the facts, IE is broken by design, and the only realistic alternative is to switch to another browser.

Re:FYI

[Kent Recal]

because unlike Open Source, the liability is on YOU if people can't get their work done.

Oh, really now?

So where do I have to send my bill on lost work hours due to MS exploits to get a refund?

Re:FYI

[o_kenway]

but I guarantee you that if Microsoft knowingly released an IE patch that fucked the whole internet, there would be lawsuits.

I thought they already had - three in fact - Internet Explorer, Outlook Express and IIS. They seem to be getting away with it so far :-)

Re:FYI

[Anonymous Coward]

"What makes an environment "unsandboxable"?"

follow along, because perhaps you're a clueless MS programmer and don't get it.

1) IE really is integrated into windows. Sure, delete that icon on the desktop, but the entire help system is based around IE, the email client is based around IE, in fact every feature of the GUI is based around IE. You can't swing a memory mapped file without hitting a couple of IE API's.

2) IE itself contains provisions called BHO's and ActiveX controls that let you add new functionality to IE.

3) Therefore if IE is part of the operating system, and IE can be significantly altered either in advertantly ("Hey buddy, click here to win 1 million dollars!") or through a buffer overflow or similar trick, then you've given untrusted code a relatively easy path to alter the core OS.

4) Lets go through this again, because you're slow.

5) IE is core to OS, IE can be easily corrupted by executables on the web, therefore, the core OS is subject to security breaches simply by a user browsing the web.

I don't know how to make this clearer. The things I've seen IE do to Windows XP in the past 4 weeks make my hair stand on end. A simple click by a friend, who tried to close a popup, missed by 1/4" and basically allowed an ActiveX control to run rampant, cost us an entire two days work.

* The virus protection saw the problem but wasn't fast enough to fix it
* Spybot S&D 1.3 with latest patches was *BLIND* to this infection
* SpySweeper was able to kill things off, but only after we disabled system restore because guess what, every new piece of malware hijacks system restore and the system continuously reinfects itself.

Lets step by and see what's happening.

By design, IE has set up the entire Windows OS so that one inadvertant click in a user process can completely corrupt the OS.

*AND ITS DONE ON PURPOSE*

Honest to god, if someone told me that MS was that stupid 10 years ago, I'd laugh. But I've seen it with my own eyes. IE is so awful that it should not be used. The US government now recommends you shouldn't use it.

I like Windows XP, but IE is fatally flawed and must be rewritten. But hey, its so integrated in the OS that guess what... you have to rewrite the OS.

Holy cow, open your eyes. Its BAD out there!