IE Download.Ject Exploit Fixed 421
Saint Aardvark writes "Just in time for the weekend, the
Internet Storm Center is reporting that Microsoft is providing
a fix for the Download.Ject vulnerability that hit IE late
last month. The press
statement says that it'll hit Windows Update later
today..."
NOT an actual fix (Score:1, Insightful)
Got it, but.. (Score:5, Insightful)
Re:FYI (Score:5, Insightful)
I think I lost count at about 1000 when it comes to these "this will help for now..." When it comes to IE most fixes end up as patches that can actually break more than they fix. I think the Dept. of Homeland's Security recommendation of not using IE speaks loud and clear to this.
Microsoft could start but not allowing web sites to automatically run malicious code, just as Outlook has the same tendency with emails (which incidently, most email viruses spread rapidly with).Loaded terminology... (Score:5, Insightful)
vs.
"A week or so ago"
I know Microsoft is not one for timely updates, but this wording makes it sound like Microsoft has been sitting on this particular problem a lot longer than they have.
Re:Um (Score:2, Insightful)
While this is great for most home users, a lot of people (including myself) do not do this. I want to know exactly what is being put on my system. I don't need the Euro conversion utility. I don't need windows media player 9. Right now there are 8-10 things that it has wanted to install for over a year that I refuse to put on.
late last month means (Score:5, Insightful)
48 Hours (Score:0, Insightful)
Re:Got it, but.. (Score:4, Insightful)
IE Features (Score:5, Insightful)
ActiveX should never have been embedded into a browser in the way it has been. Yet most of the sites that I have to use IE for is because of ActiveX controls.
Microsoft tricked a lot of the world into using ActiveX and now they're paying the price.
I can hear the support conversations already -
"Yes, if your security zone is set to high your computer won't be vulnerable. But if you want to view anything with ActiveX (read: multimedia) you'll have to turn these vulnerabilities back on."
Does anyone else find this mildly insane ?
Re:I have a feeling (Score:2, Insightful)
I am sure you are all aware that windows is a fairly large OS that is designed to be easy to use for novices but allow Power Users to do their thing as well. I think it accomplishes that fairly well. They provide automatic updates to every computer now (if you are not too lazy to turn it on). I realize that this option is turned off by default but this is more because of the people (*cough* slashdotters *cough*) that say that MS will somehow steal all their secrets if you let them install updates automatically. I think MS does a good job updating system.
Also, if I see one more reply to an IE article with the line "Download the patch here [mozilla.com]" rated as "Funny", I will kill myself.
Re:Yippee! (Score:5, Insightful)
It was less than a week, wasn't it?
Nope [netcraft.com]
Re:FYI (Score:5, Insightful)
Now I call FUD on you. MS's EULA clearly states that they aren't liable for ANYTHING that their software does or does not do. Face the facts, IE is broken by design, and the only realistic alternative is to switch to another browser.
Re:FYI (Score:5, Insightful)
Oh, really now?
So where do I have to send my bill on lost work hours due to MS exploits to get a refund?
Re:FYI (Score:2, Insightful)
I thought they already had - three in fact - Internet Explorer, Outlook Express and IIS. They seem to be getting away with it so far
Re:FYI (Score:4, Insightful)
follow along, because perhaps you're a clueless MS programmer and don't get it.
1) IE really is integrated into windows. Sure, delete that icon on the desktop, but the entire help system is based around IE, the email client is based around IE, in fact every feature of the GUI is based around IE. You can't swing a memory mapped file without hitting a couple of IE API's.
2) IE itself contains provisions called BHO's and ActiveX controls that let you add new functionality to IE.
3) Therefore if IE is part of the operating system, and IE can be significantly altered either in advertantly ("Hey buddy, click here to win 1 million dollars!") or through a buffer overflow or similar trick, then you've given untrusted code a relatively easy path to alter the core OS.
4) Lets go through this again, because you're slow.
5) IE is core to OS, IE can be easily corrupted by executables on the web, therefore, the core OS is subject to security breaches simply by a user browsing the web.
I don't know how to make this clearer. The things I've seen IE do to Windows XP in the past 4 weeks make my hair stand on end. A simple click by a friend, who tried to close a popup, missed by 1/4" and basically allowed an ActiveX control to run rampant, cost us an entire two days work.
* The virus protection saw the problem but wasn't fast enough to fix it
* Spybot S&D 1.3 with latest patches was *BLIND* to this infection
* SpySweeper was able to kill things off, but only after we disabled system restore because guess what, every new piece of malware hijacks system restore and the system continuously reinfects itself.
Lets step by and see what's happening.
By design, IE has set up the entire Windows OS so that one inadvertant click in a user process can completely corrupt the OS.
*AND ITS DONE ON PURPOSE*
Honest to god, if someone told me that MS was that stupid 10 years ago, I'd laugh. But I've seen it with my own eyes. IE is so awful that it should not be used. The US government now recommends you shouldn't use it.
I like Windows XP, but IE is fatally flawed and must be rewritten. But hey, its so integrated in the OS that guess what... you have to rewrite the OS.
Holy cow, open your eyes. Its BAD out there!