Another Critical Microsoft Hole 601
gmuslera writes "Not was enough that recent vulnerability in IE that can run any program in an unpatched windows system. Now there is another
related to an ActiveX control that can make IE and IIS to run any code in the system. The Microsoft solution? kill the related ActiveX control and replace it with a safe one. The Microsoft problem? As this control is Microsoft signed, any site can require it, upload it and replace the "good" one with the vulnerable one. The final recomendation from Microsoft? Don't trust/run ActiveX controls signed by Microsoft." Gimble points to the appropriate locations on Microsoft's website: "Another buffer overrun (that allows arbitrary code to be run) has been admitted to by MS, and it affects IIS and IE on clients (but not on XP), and they have a patch available here Security Hotfix for Q329414. The kicker is that a patched system can be rendered vulnerable again by a hostile web site or HTML email. The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers."
Aaahhhh! (Score:4, Funny)
Noooooo!
Minesweeper WON'T stop coming up!
--This girl at the library the other day
Re:Aaahhhh! (Score:5, Funny)
ATTN: Slashdot Editors (Score:4, Funny)
Re:Aaahhhh! (Score:4, Funny)
That depends. According to their bulletin, you can't trust MS. But the bulletin came from MS, so you can't trust the bulletin. So you can trust MS. Whch means you can't trust them which...
Ah, the classic "I am lying" paradox...
Re:He's right about the fonts (Score:5, Funny)
why the kill bit does not work. (Score:5, Insightful)
Why isn't it feasible to set the Kill Bit in this case?
The ActiveX control involved in these vulnerabilities is used in many applications and web pages to access data. Many applications, including third-party applications, contain hard-coded references to it; if the patch set the Kill Bit, the web pages would no longer function at all - even with the new, corrected version. As a result, the patch updates the control to remove the vulnerabilities, but does not provide a brand-new control and set the Kill Bit on the old one.
Conclusion:
-Microsoft refuses to kill itself.
how does this relate to: the story Microsoft on Security: We'll Break Your Apps [slashdot.org]
Hey... linus refused to change the behaviour of kill -9 -1 also
Re:He's right about the fonts (Score:4, Interesting)
While that would be better for Mozilla (more bugs would be found faster, and there would be more incentive to become as homogenous across platforms as possible), I'm not sure it if would help Windows users all that much because by default Windows users are at or near the equivalent of root users. Windows is a security-week OS. Granted, integrating something like a web browser so tightly with the OS doesn't help, but the problem is still that regular Joe user is still allowed to do a lot of damage on his own with little or no checks and balances. Don't get me wrong. I don't like Windows, and I choose to run Linux on my desktop, but Microsoft-related security problems go a lot deaper than just IE.
Personally, I'm not sure there's a way around this problem. Attackers are smart and well-informed. Not being fooled into running bad stuff requires knowledge, a healthy dose of skepticism, and vigilance. The problem with Microsoft software in general is that it makes it trivial for the ignorant user to run bad stuff. If all the buffer overflow and security wholes were fixed tomorrow, it still wouldn't stop companies from developing spyware, nor would it stop attackers from using social engineering to find ways into systems. This plagues even the non-MS world (look at the recent compromises in OpenSSL and sendmail).
Here's an anology: Imagine that I was a "car cracker", and I devised a way to sneak into gas stations and replace their fuel with sugar water. NO ONE would notice until their cars stopped running and their engines siezed. Why? Who smells or tastes or tests gasoline from the pump before it goes into their car? The only real thing stopping someone from actually doing something like this is the logistics of cracking a gas station's fuel supply. As a result, people have a reasonable (and yes, in this case it is reasonable) amount of trust in what's coming out of the pump (even if it is gas-ohol).
However, it's much easier in the world of easily-reproducable flying bits to do something very similar. There's a much smaller barrier there. Now users really should smell/taste/test their gasoline before they put it into their car. The only problem is, just like with the car analogy, there's little to no tools available to make that process available to the common consumer. What's worse is that even if they were, the common consumer is so lazy, they probably wouldn't take advantage of them unless they were forced to.
No, I am not an advocate of DRM. I hate the stuff. If anyone ever tells me I can't use my computer the way I want, I'll kill 'em (metaphorically...I don't wish actual physical harm to befall anyone...it's not my place to judge and dispense punishment). My point is that Windows has a very long way to go before these types of problems will become manageable again, with or without Internet Explorer.
In a lot of situations, installing software is less like putting gas in your car and more like buying 50 kilos of cocaine. In that scenario the buyer doesn't trust that the seller hasn't cut the dope. As a result he has the tools (guns and methods of determining drug purity) to help ensure the transaction goes smoothly.
Okay, maybe that analogy doesn't work either, but I think you get my point.
Sound Advice (Score:3, Funny)
Re:Sound Advice (Score:5, Funny)
Re:Sound Advice (Score:3, Insightful)
Re:Sound Advice (Score:3, Interesting)
Re:Sound Advice (Score:5, Funny)
Suppose MS say that they shouldn't be trusted. Assume you think it's right, so you don't trust'em, so you believe THAT sentence is false ! Therefore MS should be trusted. So of course you must trust'em, and believe they shouldn't trusted... And so on & on !
Finally their claim is just another way to make your system / brain crash due to stack overflow...
Re:Sound Advice (Score:3, Insightful)
Re:Sound Advice (Score:5, Funny)
Microsoft1: All things you need to trust are from Microsoft.
Microsoft2: But all things are not always me need to trust are from Microsoft.
Microsoft1: Umm. But all things are not always are not always you need to trust are from Microsoft.
Microsoft2: Interesting. But all things are not always are not always are not always me need to trust are from Microsoft.
Microsoft1: Interesting. But all things are not always are not always are not always are not always you need to trust are from Microsoft.
Microsoft2: Huh. But all things are not always are not always are not always are not always are not always me need to trust are from Microsoft.
Microsoft1: Huh. But all things are not always are not always are not always are not always are not always are not always you need to trust are from Microsoft.
Microsoft2: Umm. But all things are not always are not always are not always are not always are not always are not always are not always me need to trust are from Microsoft.
Microsoft1: And. But all things are not always are not always are not always are not always are not always are not always are not always are not always you need to trust are from Microsoft.
etc.
Don't trust Linux either... (Score:4, Interesting)
Open Source and Linux: 2002 Poster Children for Security Problems
November 12, 2002
Open source software is now the major source of elevated security vulnerabilities for IT buyers. Security advisories from Cert for the first 10 months of 2002 show that open source and Linux software accounted for more than half of all advisories. The poster child for security glitches is no longer Microsoft; this label now belongs to open source and Linux software suppliers.
Read more here [aberdeen.com]
Re:Don't trust Linux either... (Score:5, Insightful)
in addition, i think you'll find that since applications and libraries can be used by 3rd party applications more easily on open source systems, you have more code re-use. thus, 1 vulnerability, such as the one in OpenSSL, turns into 10 when you count in all the packages that use OpenSSL's SSL libraries. since MS closes the ssl libraries that they use with IIS, you'll find that there are probably 10 different ssl implementations on any one MS based system.
a third point is that this study counts advisories from each vendor regarding the same application as seprate advisories. so you have the following situation:
1 bug in OpenSSL affects 10 applications that use the OpenSSL libraries. advisories for those 10 applications are reported by 10 different Linux vendors. therefore, 1 bug in a piece of linux software generates 100 vulnerability reports. according to this logic, there are still roughly 100X more bugs in microsoft software alone then there are in every piece of software that is capable of running on Linux based OS's. that number is somewhat inflated, however my points are still valid, this study is turning 1 bug into many and comparing apples to oranges.
Microsoft ActiveX Controls? (Score:3, Insightful)
This bodes well (Score:5, Insightful)
I'm all for code signing for authenticity, but not for code signing as execution control. Code signing should be purely an audit mechanism.
Re:This bodes well (Score:5, Funny)
Re: Another critical Microsoft hole (Score:5, Funny)
Difficult to read this post is, hmmm?
Re:Oooo! He card read good! (Score:5, Funny)
karmasuicide2k2
"Don't trust Microsoft" (Score:4, Funny)
Microsoft Security Bulletin MS02-065 (Score:3, Informative)
More Bias (Score:5, Insightful)
*flame retardent jacket on*
That is all.
Re:More Bias (Score:5, Insightful)
As you say - there are bugs in ALL software - but there are great differences in how quickly those bugs are fixed!
Re:More Bias (Score:3, Insightful)
Re:More Bias (Score:5, Funny)
Maybe we should apply the SECURE teenager patch I thought I saw somewhere....
Re:More Bias (Score:3, Insightful)
I seem to remember a poll that indicated that a significant portion of the
I can, however, see that the updates are quite one-sided. Is it, perhaps, that less people submit the linux related bugs? or that the editors choose to publish more Microsoft-related ones? I think only they know for sure. Either way, people benefit.
Re:More Bias (Score:5, Insightful)
Because samba et.al. use a completely different security philosophy. This shows and proves something that many people have said before, namely that MS' security philosophy based on "trust us, we know better what to do" is flawed. In the light of this news you can only laugh about popups like "Always trust content from microsoft corp.".
This is also not very encouraging for MS' auto-update feature in XP, and their whole fucking ideas of stuff in their OS's downloading components from the net without asking the user.
Note that the above is also true for other software publishers, but MS takes the spotlight for various reasons, like their omnipresence and their bullheadedness concerning these problems.
Re:More Bias (Score:4, Interesting)
Until that day, I'll get my kicks from MS bashing. You've read and heard the things Baller & co have said about Linux (I particularly liked the "Linux is unamerican" comment, hehe)
So cease thy whining and either bash or don't. No need to pass judgement unless your prepared to accept that the whole world is guilty of the behaviour you are so desperate to eschew.
More design flaws (Score:5, Insightful)
What we have here is a clear case of people letting their ideology interfere with their business sense. Ideology / religion seems to be the only reason anyone would not go right over to better products like Opera or Mozilla. The only value MSIE can add, beside keeping the AV and security consultants in gravy, is vendor lock in.
Microsoft is falling further behind in technology every month. Rather than trying to catch up, they've been trying to hold everyone else back. It's time for them to get out of the way and stop hindering economic growth in the IT sector.
Re:More Bias (Score:5, Insightful)
Slashdot reports security vulnerabilities that affect large portions of the userbase. All of the above affect large portions of the OSS world, and IE vulnerabilities affect the vast majority of the workstation userbase (globally!). The difference between OSS and Microsoft security bulletins, however, tends to be that the OSS bulletins are generally followed-up shortly after release with "... and get the patch here, here, and here, and download [updated|backported] versions from your vendor here, here, and here". Only too often do we see updates to Microsoft bulletins that read along the lines of "... and Microsoft is stonewalling [me|us] ... " or "... Microsoft has officially denounced this as invalid ... " or "... Microsoft has accepted the bug report and is working on a solution ... " (which doesn't arrive for six weeks, and does so very silently with little more than yet-another-MS-bulletin and another item in the Windows Update listing).
The reason Slashdotters 'bash' Microsoft, especially in the face of "yet another IE/IIS critical security vulnerability" is that they're so recurring. The fact that this one happens to be digitally signed by Microsoft themselves, and that the only way to get around the vulnerability is to literally stop trusting Microsoft [microsoft.com] makes it more than hilarious; it's downright embarassing for them. When something embarasses one of the Open Source world's largest nemeses, and the very giant who has its sights set on Linux (primarily) and phasers set to kill, it gives us a warm tingly feeling, and human nature dictates that when this feeling is present, "I Told You So!" is a response that gives us imense amounts of pleasure.
Speaking of "I Told You So", I have to remember to show this one to our co-op student when he's next in. It'll make for a good practical demonstration of why I told him not to check "Always trust from ... " checkboxes within IE.
Re:Want some cheese with that whine? (Score:3, Insightful)
I've also read "The Dilbert Principle" by Scott Adams as well. It is an insightful and honest book about business.
What the author criticizing Dilbert does is say that by stating and exaggerating some of the bad things business does, he is condoning them. What a load of crap.
As for Microsoft, there are actions that they have taken that I do not like. But I have to use Microsoft products at work and have to know a lot about them. It doesn't mean that I can't also totally disagree with their licensing schemes. And while it may not seem like a big deal to you, my decision at work is whether to let users run Active X controls or not. There are big implications here, this story is absolutely not trivial and Microsoft made a major screw up in allowing this security hole to exist in this particular product in the first place.
Question (Score:5, Insightful)
Re:Question (Score:4, Insightful)
IIS needs to run as system for a couple of reasons that aren't worth detailing. The issue was the there was no distinction between Local-System, and Network-System as there is now in XP.
Re:Question (Score:4, Funny)
Sure if you never store personal documents under it.
RTFM : lol... Try Runas.. (Score:5, Informative)
Re:Question (Score:5, Informative)
Create a shortcut to Internet Explorer.
Right-click the shortcut, choose "Run As.."
The option "Current User" and "Protect my computer and data from unauthorized program activity" should be checked.
Click OK to run Internet Explorer in "secure mode".
Caveats to running in this mode:
Your bookmarks or links won't appear, but they'll still be there if you run it in normal mode.
Other web-based programs may not run correctly.
You can test to see if it's working by going to Windows Update - if it's secure, you'll see something about having to run Windows Update as an administrator.
This is big (Score:5, Insightful)
The reason they're in this mess is the whole "trusted computing" paradigm which they started with this signed-ActiveX stuff and are continuing with Palladium. Perhaps this will make them reconsider. Quis custodiet ipsos custodes: Who watches the watchers?
Microsoft knows best (Score:4, Funny)
"Don't trust us"
Re:Microsoft knows best (Score:3, Interesting)
In Microsoft's Technet Security Bulletin MS02-065 [microsoft.com]. It's linked from the submission and still not Slashdotted. However, as a free service (maybe you're afraid of surfing to untrusted websites), I am hereby reproducing some of the juicy bits:
Please note that this will generate a warning message EVERY TIME you encounter an ActiveX control - whether it is signed or unsigned. So how would you tell the difference between a 'bad' Microsoft-signed control and a 'good' one (ignoring for a moment the inherent badness in ActiveX)? The short answer is: You can't. You're toast. Muahahahaha!
All I see is not to trust an ActiveX pop-up warning that might be comming from someone OTHER than Microsoft...
Not that easy, I'm afraid. First, if you have been a good astroturfer you have undoubtedly cheched the "Always trust content from Microsoft Corporation" checkbox the first time you saw it (or your keeper checked it for you). Therefore, you will NOT be getting a pop-up warning. Second, the pop-up warning you may get if you haven't added Microsoft to your list of Trusted Publishers does indeed come from Microsoft. Bill Gates more or less personally guarantees the security and validity of Microsoft Corporation's digitally signed certificates (unless they've been hacked again, but that's so unlikely that it probably didn't even happen the first time).
Oh and if I see M$ or Micro$oft one more time I'm going to puke...
Most astroturfers do. It's a feature of your implants and nothing to be ashamed of.
The admission is in the faq section. (Score:5, Informative)
What steps could I follow to prevent the control from being silently re-introduced onto my system?
The simplest way is to make sure you have no trusted publishers, including Microsoft. If you do that, any attempt by either a web page or an HTML mail to download an ActiveX control will generate a warning message. Here's how to empty the Trusted Publishers list:
1. In Internet Explorer, choose Tools, then Internet Options.
2. Select the Content tab. In the Certificates section of the page, click on Publishers.
3. In the Certificates dialog, click on the Trusted Publishers tab.
4. For each certificate in the list, click on the certificate and then select Remove. Confirm that you want to remove the entry.
5. When you've removed all entries from the list, select Close to close the Certificates dialog, then click on OK to close the Internet Options dialog.
DOJ reaction (Score:5, Funny)
Today the DOJ announced that they would no longer trust Microsoft and had removed Microsoft from the list of companies it would allow to police themselves. This was done on Microsoft's advice as they felt they could not be trusted not to screw around like they had before.
"Lets face it" said Bill Gates "asking us to police ourselves is like asking Dan Quayle to front a literacy program, its just not a good idea"
Incredible... (Score:3, Interesting)
--
What steps could I follow to prevent the control from being silently re-introduced onto my system?
The simplest way is to make sure you have no trusted publishers, including Microsoft.
--
I found it ammusing... (Score:5, Interesting)
Re:I found it ammusing... (Score:3, Insightful)
Most people just use their Windows systems as administrators, doesn't mean it has to be that way. You need administrator privledges to do things like install drivers and some software, but not to run what's already on there.
Re:I found it ammusing... (Score:4, Insightful)
At least as of Win2K, so many things break when you try to run as non-administrator, it's just not worth it for most people.
I find it amusing... (Score:5, Funny)
Not true... (Score:3, Insightful)
WTF ? (Score:5, Insightful)
Re:WTF ? (Score:3, Interesting)
From bulletin:
===
Why not revoke the certificate that was used to sign the control?
The certificate that was used to sign the control is still valid - the problem lies in the control, not the certificate. In addition, a number of controls have been signed using the same certificate, and revoking the certificate would cause all of them to become invalid.
===
Additionally, there is this tidbit, about killing the control w/o revoking the certificate:
===
Will Microsoft eventually set the Kill Bit on this control?
Yes. Microsoft is developing a new technology that will enable it to set the Kill Bit on the vulnerable version of the control without forcing users to re-author web pages containing references to these controls. When the new technology is available, we will ensure that this fix uses it.
===
Bottom line: they *could* revoke the certificate, but it would screw up other controls that use it.
Re:WTF ? (Score:5, Insightful)
While I commend them for suggesting a fairly complete solution (including not trusting Microsoft-signed controls any more), I piss on them for not being willing to revoke the old control simply because some sites would not work.
Were they to do this, there's no doubt that administrators and programmers everywhere would TRULY understand the issue, and fix their code to not use the hardcoded value. Instead, Microsoft is coddling them, and now we have another hundred thousand zombied machines in DDoS attack-networks.
Why don't people use something else? (Score:5, Insightful)
People don't move to something because, firstly it's something different and many people are happy to stick with something comfortable. Secondly many people don't see the point in downloading something that they already have installed ("it works for me, why do I need anything else?" mentality) and finally, for many people they never experience the nasty possible ill-effects of these security alerts.
Sure, plenty of people were hit by Code Red but it never really affected them. Sure it affected their computer, but as far as their documents were concerned - there was no change.
Until we see a security alert that does cause damage to personal files and does roam rampant in the wild, the average Joe Blow user doesn't give a toss whether or not there 6 or 6000 security alerts.
FWIW: .NET may help this... (Score:4, Informative)
Looking forward, I recently picked up
Mobile code that runs in the
Frustratingly, you can't run
Anyway... here's some additional links to M$ references on mobile code:
Security in
Security in the
Re:FWIW: .NET may help this... (Score:3, Insightful)
Does anyone have any reason to allow ActiveX at all? It seems to pretty consistently be a low-benefit recipe for trouble...
.NET has similar design flaw (Score:4, Interesting)
So this is news because it blows the doors off the signed executable philosphy and makes the sandbox philosohy of the java VM look like the only viable approach. Notice that the JAVA approach would have avoided both problems. first it would have avoided the buffer overrun problem in the first place since that would be caught by the VM when it examined the code, and second there would be no signed app trustworthyness issue.
Does no one realize its a TROJAN PR MOVE (Score:5, Insightful)
or maybe I'm just nervous 'cause my coffee just accidently cross bred with a poison-ivy staph-infection vaccine GE plant and was recalled after I drank it
pm
Install MDAC 2.7 (Score:4, Informative)
Here's a URL for you, even...
MDAC 2.7 Refresh [microsoft.com]
Keeping Windows secure is hard, but it's easier if you install the recent components...
Re:Install MDAC 2.7 (Score:3, Informative)
However, the issue is that even after you've installed the patch, you're still vulnerable, because the vulnerable version will be downloaded and executed as soon as you hit a Web page requesting that version, since it's signed by Microsoft, and most installs trust stuff signed by Microsoft.
Sheesh, now /.er don't even read the blurb anymore?
Use separate certificates for each control? (Score:5, Interesting)
Wouldn't it make sense for them to just sign every control with a DIFFERENT certificate, so when one is found to be flawed they can revoke the cert and only the new version will install easily?
It's not like MS can't afford the cost of the individual certs, if they aren't a CA themselves already...
Re:Use separate certificates for each control? (Score:5, Insightful)
A bit of fuzzy logic (Score:4, Funny)
A mountain of sloppy code? (Score:4, Informative)
While researching the article linked below, I developed the impression that Microsoft has for years allowed its programmers to submit sloppy code. Now bugs are not easily found or fixed because everything is a mess.
Windows XP Shows the Direction Microsoft is Going [hevanet.com].
MS buffer overrun theory (Score:4, Interesting)
The lack of an snprintf method in the DevStudio standard C lib causes MS developers to use the unbounded sprintf instead, potentially resulting in buffer overruns.
What do you think?
Re:MS buffer overrun theory (Score:4, Informative)
While it's fun to pile on his Majesty Satanic... (Score:5, Insightful)
Security and utility are two contestants in a zero-sum game.
Which is not to say that <insert browser here> isn't a technically superior product...
Feeding this to port 25... (Score:5, Insightful)
From MS02-065 [microsoft.com]:
So, who want to bet that the e-mails we will soon see circulating will have something like:
From: billg@microsoft.com
Subject: You can safely trust me
<html><body> Please read this e-mail carefully and make sure you download the provided control.
Asking people to decide whether or not they trust somebody based on, uh, well, whatever, that's asking for disaster. People will do that based on what they see in the From-field, most likely...
Well, admittedly, I haven't touched a windows machine in a long time, so I might be totally off here... :-)
And while where at it... (Score:4, Informative)
However, I am getting a little tired at all the MS bashing on Slashdot. It has been said before, but do we really need to have a story posted each time an Outlook/Explorer security breach, no matter how insignificant, is made public?
XP is OK! (Score:5, Insightful)
I don't understand... (Score:4, Interesting)
Re:I don't understand... (Score:4, Insightful)
why remove *ALL* certificates? (Score:5, Insightful)
So OK. If this signed certificates thing was a good idea to begin with, why are they suggesting people remove ALL trusted publishers?
It's only Microsoft's own certificate that can reintroduce the problem. Why would they advise removing all certificates?
Is it because they think their users are too stupid to remove Microsoft only? Are they trying to look less bad by making it look like the problem effects all publishers? Or are they simply admitting that this signed certificate thing isn't working?
Oh, if we can't run anything we want on your system, nobody else should either. pfft.
oktay
I realize most /.ers use IE, but... (Score:5, Interesting)
Click...refresh...huh? (Score:5, Funny)
--note to self--
Consider buying stock in proposed Hades Ski and Ice Skating resort... it must be getting real cold down there about now, somewhere between slushy and completely frozen over.
Unsafe at any release? (Score:5, Informative)
So, to fix this particular little problem needs a hardware replacement "upgrade" :-(
In other news... (Score:5, Funny)
Great solution, what about SPAM? (Score:5, Funny)
"The simplest way is to make sure you have no
trusted publishers, including Microsoft. If you do
that, any attempt by either a web page or an HTML
mail to download an ActiveX control will generate a warning message."
(...)
We could use this idea also with SPAM. Why use Bayesian filters (that aren't still 100% safe)? We could open every single message and decide if it is SPAM or not. If it is SPAM we can then delete it... it's easy!!
This message doesn't need a signature
Score one against DRM !!! (Score:5, Informative)
Q: Why would an attacker be able to silently re-introduce the old version of the control? Shouldn't there be a warning message?
A: A warning message is generated anytime there's an error associated with a digital signature (e.g., a bad signature or expired certificate) or the signer isn't trusted. But in this case, the digital signature on the old version of the control is still valid, and the signer is Microsoft - which is a trusted publisher in many cases. Because of this, most users would not see a warning message of any kind if the old control was re-introduced.
Ha! Microsoft is now providing very well written ammunition to the Anti-DRM movement; this makes me very happy.
CNN (Score:4, Interesting)
I really like that the mainstream press is using "yet another" here. Think about your neighborhood: if somebody down the street gets burglarized, it's a terrible thing, but it's an isolated incident, and in a couple of days, you'll unload the shotgun and soundly again. But when two houses a week get broken into, well, you're gonna start acting like there's a pattern here.
What will happen when people start treating Microsoft's security lapses like the epidemic they are?
Re:why? (Score:3, Insightful)
Re:why? (Score:5, Informative)
Re:why? (Score:3, Insightful)
To tell you the truth, it's been a while since I've no longer needed stories such as these to convince me that Linux is more secure than Windows...there's no "anger" left (I don't thing there ever was - outrage and disdain, yes, but no anger), just a desire to be informed so that I can better protect my windows-using loved ones...
Re:why? (Score:5, Interesting)
who still use Windows...
I've got half a dozen software packages that
are currently only available for Windows or
Mac, and as I don't like Macs, I'm stuck
with Windows for the time being.
This kind of story is "News for Nerds", and
as such, is, IMO, much more valid a story than
most that get posted here.
And as far as the Open Source comment; yes,
Open Source systems have bugs. However, I
don't know of a single one that will have a
website pop-up ask you to download a major
security hole under the name of trusted
computing.
Do you?
Re:why? (Score:3, Interesting)
Also, Windows is more popular, so this sort of thing affects more people, especially clueless ones, the ones we need to educate to switch to Opera (ohokay, Mozilla then)
Re:why? (Score:5, Informative)
I guess the same reason that...
Security Vulnerabilities in KDE 2.1-3.0.4, 3.1 RC3 [slashdot.org]
Trojan Found in libpcap and tcpdump [slashdot.org]
Bind 4 and 8 Vulnerabilities [slashdot.org]
and
Vulnerability In Linksys Cable/DSL Router [slashdot.org]
were posted?
i.e. this particular article would have been posted were it about windows, redhat, solaris or pretty much any other "widly used" system
Re:why? (Score:3)
. . .or is it because we're always trying to make windows look bad??
You know, I don't think that's fair. The slashdot community dogs out everything they think is controlled by 'the man'. Just look at how much BIND and sendmail get bashed. Granted, these things have proven to be significantly less problematic.
Re:why? (Score:5, Insightful)
1. Yes, a lot of Slashdotters use Windows. I am using it right now. I have to, because that is what is mandated where I work. I am sure that is the case for many other people. I am sure some of the admins have to administer Windows systems. Basically, we are stuck with Windows, so we need to know this information. At home, on the other hand, I only boot up the Windows machine if I need a Quake fix.
2. We don't have to make Windows look bad, it is doing a fine job of doing that itself, thank you very much. Slashdot didn't release this alert, Microsoft did. Would you rather not know about it?
Preaching to the Choir (Score:3, Insightful)
The folks that are out there converting people to free software are the people that read slashdot. Keeping the slashdot crowd informed of the latest security holes in Windows, Microsoft's most recent snafu, and the best new open source project allows Slashdot readers to spead the word more effectivly. New information and new arguments are key.
Re:why? (Score:5, Informative)
Nearly half of
This would seem to validate the need to have stories about Microsoft software bugs, especially those as grevious as this, on
Re:why? (Score:3, Funny)
"Microsoft innovates"
With a nice little sponsered by, Microsoft icon right under the headline. That is why..
Re:why? (Score:4, Insightful)
Were the public to follow their suggestion, this would be a big deal. They would basically have deprecated ActiveX controls as a dynamic content strategy (you can use what you have, but you won't get any more). You could argue that this has been done for them over the last year or so, but this is the first time I've seen them admit it.
However you look at it, having a bug that causes even a temporary strategy change is big news, regardless of how you feel about MS.
Your answer... (Score:3, Funny)
Yes.
Re:why? (Score:3, Interesting)
Re:Typical slashdot crap (Score:3, Insightful)
What steps could I follow to prevent the control from being silently re-introduced onto my system?
The simplest way is to make sure you have no trusted publishers, including Microsoft.
Re:Typical slashdot crap (Score:5, Insightful)
To me, this proves that digitally signed code, that is, "trusted systems" are absolutely no guarantee of security. Bad code can be signed.
Re:Typical slashdot crap (Score:4, Insightful)
So many MS supporters think Slashdot readers are hostile to them. It never seems to occur to them that there might be valid reasons for the climate out there.
Re:So what.. (Score:5, Interesting)
Hang on, let me catch up here. Did Linus digitally sign a control in a subsystem designed to download code from any old webserver you might happen upon and run it as root while I was looking the other way? And did he, after it was discovered that such a system is not perfectly, 100%, safe *astonished look* issue a warning on the Linux kernel developer mailing list stating, in effect, that he's a jackass and people should stop trusting him with anything more dangerous than a moist sponge in a bathtub?
I don't think so.
Re:So What's The Real Answer? (Score:3, Insightful)
Depending on how you define "rich feature set" I would suggest PHP or perl or some other server-parsed scripting language. PHP in particular, when combined with MySQL, makes a *great* web development combination. Java code can be fairly secure to run, but it's run locally.
Re:Why MS bugs so publicised?... (Score:5, Insightful)
1. Get an idea for useful softwaree
2. Write a lot of working but buggy code
3. ??????
4. Profit
Then later when you can rest assured that the investors or collectors are happy...
5. Fix bugs
And if you're a monopoly...
6. Release bug-free "Upgrade" and charge more money.
Re:Hey great (Score:4, Insightful)
Wasn't that the rationale for the existence of "certification authorities"? If one must make one's decision about trusting a software or not based upon the site where it seems to be, then there is no need at all for security certificates. Speaking for myself, if it says "Signed by Microsoft", I don't trust it at all, no matter if it was in a cracks site or not.