IE Download.Ject Exploit Fixed 421
Saint Aardvark writes "Just in time for the weekend, the
Internet Storm Center is reporting that Microsoft is providing
a fix for the Download.Ject vulnerability that hit IE late
last month. The press
statement says that it'll hit Windows Update later
today..."
Re:Got it, but.. (Score:1, Interesting)
We won't even get into the fact that my online banking instantaneously loads on IE yet takes several
Re:That reminds me... (Score:5, Interesting)
I, for one, do NOT look forward to the coming mandatory auto-patching, but I suppose it is inevitable with Microsoft.
Re:NOT an actual fix (Score:3, Interesting)
Why Ject? (Score:2, Interesting)
Re:That reminds me... (Score:2, Interesting)
Problem: he is a dial up user and is never connected long enough at home to keep his system current.
So Windows will have to hi-jack the internet connection in order to get the downloads or half-knowlegdable users like this guy will still be victims.
Re:In Other News... (Score:5, Interesting)
Can somebody at DoHS recommend switching to another browser every day so MS will start working on the backlog of bugs?
Another question: Are there enough of those high-flying MS developers still working on the IE codebase to make the changes in a timely manner or is there an aging skeletton crew to fix the vulnerabilities, not too motivated since they were passed up for work on
I wonder.
Somebody probably lit the proverbial fire under their bums this morning.
(They know how hard it is to get people to switch browsers. It took a while (2 years) with Netscape, and NS Communicator was a POS). I guess they are at the edge of the cliff and realized there's nowhere but down.
Yippee! (Score:5, Interesting)
And, while it's unfortunate that many people don't (or can't) run Windows Update, it works well for people with fast connections who are behind firewalls so their systems don't get screwed up before they can patch them!
Re:MOD PARENT UP. (Score:1, Interesting)
Is this just coincidence? (Score:4, Interesting)
Re:FYI (Score:5, Interesting)
First, to release a patch to a commercial application used by millions of people is inherently troublesome. You've got to make sure you test it thoroughly...because unlike Open Source, the liability is on YOU if people can't get their work done. If there is a change to an existing setting that can defray the effect of the vulnerability and give you more time to test, it would be remiss of you not to inform customers of it. Would you rather they ask customers to wait a few days until the patch is thoroughly QA'd?
Second, I have never -- that means NOT EVER -- seen an IE fix that broke my machine worse than a virus would. The fix might cause problems with IE, but it wouldn't cause my machine to send spam email against my will. And the VAST majority of IE fixes have had no ill effects whatsoever. On the other hand, emerging the latest from gentoo causes something to break a substantial percentage of the time.
I do agree that IE isn't the best browser ever, but this doesn't excuse you from putting blame where it doesn't belong. If you're going to fault Microsoft for anything, fault them for not being up front about the patch process. They should let us know at every step of the way what the problem is, how to patch it for now, when a fix will be ready and how to defray such bugs from allowing exploits in the future. That's one cue from OSS they'd be smart to heed. All software is buggy. Pretending it's not is tantemount to pretending you aren't going to fix it.
Re:Got it, but.. (Score:3, Interesting)
What? Like sites that do not function if they can't open a thousand windows? or can't force you to agree to download and install something without crashing the browser? (insert zillions of other annoying or dangerous exploits here)
If a site REQUIRES Internet Explorer perhaps you shouldn't go there. I mean now that the Department of Homeland Security is urging people not to use IE, Your bank better think real hard about requiring you to use it.
Re:NOT an actual fix (Score:2, Interesting)
Mind you, that still leaves the door open for someone clever to put an entry in the HOSTS file and do some nifty DNS man-in-the-middle trick, sending the unaware user somewhere else and trusting that "fake" windowsupdate.microsoft.com
Which is nice.
Re:I have a feeling (Score:3, Interesting)
It's worse than that. MS only appears to care about big customers, typically large corporations, institutes, and government departments. i.e places that are behind a firewall and have (nominally) competent IT staff to keep the network running smoothly. Just look at the number of TCP/UDP ports they keep open. That sort of behaviour is ok on a safe intranet, but it's sheer negligence for home users connected directly to the internet. I'm constantly seeing incoming requests to the "windows networking" ports (137, 135, 445) on my ADSL connection. Those ports just should not be open to the wider internet. And lastly, witness the number of error dialog boxes in windows that simply advise the user to seek help from "the network administrator".
It's the big customers that MS cares about, not the home users. And we're all worse off when the latest round of worms clog up the internet.
Attack and solution known since Aug. 2003 (Score:5, Interesting)
FullDisclosure: ADODB.Stream object [seclists.org]
Any attack vector that relies on an ActiveX control can be stopped by setting the killbit. This is IE security 101.
-weld
Re:IE Features (Score:2, Interesting)
Security and MS "Getting it" (Score:5, Interesting)
When MS started its rise to the top, they hired as many of the brightest minds as they could to make their software the best of class. While many of us probably find the corner-cutting a bit too much to take, it is possible to have both world-class software while meeting a marketing deadline. It happens, but less frequently than MS or its defenders/supporters would like to think it does (lightning striking the same point twice *without* a lightning rod).
They continued to compete heavily in the OS market despite the fact that they initially wanted to be nothing more than a computer language business. The OS was to be the cash cow that would allow them to be a more effective language business. But now they own the OS business and are driving their business model into other ventures (consoles, entertainment centers, telephones, automotive brainboxes, etc). They just follow the same formula that lead to their smashing success in moving into the OS and office app market: buy the best brains in the field and use their project management skills and VOILA!, they are the new masters of the [insert market segment].
But consider the sandbox their bright minds play in: a homogeneous computing environment with computer scientists guarding the facility from outside intrusion. As has been noted in another slashdot article [slashdot.org], Microsoft's products work wonderfully inside of Microsoft's campus.
They have extremely talented people working with the highest-end equipment in an environment where everything works nearly 100% of the time. Is it so surprising that they do not view the world the way we do?
After all, most of the companies that I have worked for are staffed with (largely) computer-illiterate people and whose firewall is maintained by a PFY with a high-school diploma.
Perhaps it would be better for Microsoft if they force their developers to create their products in environments that their customers use. In fact, maybe they should send their developers to test their products in the heterogeneous environments of their customers for a month or two.
Let them work the bugs out on their time for a change.
Re:Got it, but.. (Score:3, Interesting)
Re:FYI (Score:3, Interesting)
Re:Windows 9x and Windows ME users still vulnerabl (Score:3, Interesting)
At the risk of repeating myself, Microsoft STILL hasn't got it.
Re:Got it, but.. (Score:3, Interesting)
Someone tried to make a database as a Sr. project that needed some sort of info from the official enrolled student database, I forget exactly what but it wasn't even anything specific, just the number of students enrolled in each college or major, but they wouldn't release it because of privacy concerns. I stopped trying to figure out why they do things and just accept it as a government agency and change will take 20 years. This portal that was bought by the state for every CSU in the system (29 campuses) I have heard is the worst portal system there is on the market. But hey, we got it cheap!