IE Vulnerabilities Page Removed 474
Henry V .009 writes "PivX Solutions has removed its (in)famous Unpatched IE Vulnerabilities page. Is Microsoft really getting better? From the site: 'Given Microsoft's recent positive actions together with the current rise in attacks against IE we have agreed to give Microsoft a good faith reprieve and have taken down our 'Unpatched' page. This was done in both a spirit of cooperation and for the good of the internet as a whole. As the ubiquitous browser that is utilized to access the internet, we all depend on IE too much to have crooks, social deviants, malcontents and crackers from messing with our lifestyles and our livelihoods. ENOUGH IS ENOUGH!'"
Google to the rescue... (Score:5, Informative)
Re:Google to the rescue... (Score:3, Interesting)
Re:Google to the rescue... (Score:5, Insightful)
Another PR effort at the expense of business (Score:5, Insightful)
As Schneier predicted [zdnet.co.uk], for Microsoft, the threat is bad publicity, and they are going to produce a security system that deals with the threat. Without some kind of disclosure, sysadmins cannot take stop gap measures to secure their systems. This is just another instance of rather than working on securing its products to a level needed for the Internet, the issue is being handled as a PR problem.
Time to upgrade [eweek.com] if you haven't already.
The Obligatory "Safari/Mozilla/Opera Wins" Post... (Score:2)
As the ubiquitous browser that is utilized to access the internet, we all depend on IE too much to have crooks, social deviants, malcontents and crackers from messing with our lifestyles and our livelihoods.
And as most of us here on Slashdot would say: That's exactly why it SHOULDN'T be the ubiquitous browser. And despite it all, it still is.
Re:The Obligatory "Safari/Mozilla/Opera Wins" Post (Score:2)
That we depend on it? That logically follows from the definition of ubiquity.
That there are crooks, social deviants, malcontents, and crackers? That's a part of life.
Either you pasted the wrong quote, or you (like most of us here on Slashdot) don't back up your anti-Microsoft rhetoric. It's not hard to make a logical case against IE, this post is just sans fact.
Re:The Obligatory "Safari/Mozilla/Opera Wins" Post (Score:2)
Because it is not the best browser.
--jeff++
Re:The Obligatory "Safari/Mozilla/Opera Wins" Post (Score:4, Interesting)
It shouldn't be ubiquitous because people should put more value on quality and less on convenience. Ultimately, it is this laziness which lets slipshod products (in any market, not just browsers) ride the tide of marketshare.
This can't be serious (Score:2)
Who, exactly, is we? And have this "we" ever heard of any alternate browsers such as Mozilla and the like? For those in the loop, it's just nice to know there is some light in the darkness of the internet browser.
Re:This can't be serious (Score:2)
Re:This can't be serious (Score:2)
Re:This can't be serious (Score:2)
Re:This can't be serious (Score:3, Funny)
Re:This can't be serious (Score:2, Informative)
Re:This can't be serious (Score:3, Informative)
I expect that most of the sites that track this use the browsers identifier string to compile statistics.
I use Opera, and it comes preconfigured to misidentify itself as IE 6.0 - probably in response to the websites that check the string and won't let you in if you aren't using Netscape or IE.
Re:This can't be serious (Score:2)
Mobilising the generic user to actually sit up, pay attention and in short give a shit would be great, but personally, I won't hold my breath . . .
Re:This can't be serious (Score:3, Interesting)
The world would be a much better place if everybody who used a computer knew as much as we did.
However... I'm sure people in the mechanic websites make fun of people like us all the time too because we phuck up our cars all the time.
Most of us know computers... most of them or at least the "we" in the quote above... do not really understand computers and computer security. That's why putting pressure on microsoft to fix its damn
Re:This can't be serious (Score:2)
hmmmm. have they done this sort of tracking?
Re:This can't be serious (Score:5, Insightful)
I'm sure they're justified in doing so, too. When I need something done to my car, I take it to a mechanic so that the work is done right. Likewise, when someone needs a web browser, I expect them to rely on software written by people who know what they're doing. I might ask a mechanic for reference customers, and consult the Better Business Bureau or local car club to make sure his work is of good quality. A sensible mechanic who needs a browser might check the Internet for references on a particular browser, also to make sure the work is of good quality.
See any parallels here? There's no excuse for not doing one's homework. There are plenty of articles available and accessible to the lay computer user that describe the some of the many problems with IE. There's no reason for an intelligent user not to read them and make an informed decision. Quite frankly, as an expert in the field of software, I do not believe any intelligent user could make an informed, good faith decision to use IE. Therefore I conclude that most users are not intelligent, are not acting in good faith (ie they don't care about the quality of the products they use), or are too lazy to spend five minutes gathering information. Since the latter two are just subcases of the first, it's safe to assume that 90% of computer users are not very intelligent. This is independent of any expert bias - their use of IE is not foolish because they're expected to understand the problems with IE on a technical level, it's foolish because there's no need to understand those details in order to see that IE is not a quality product and is in fact unsafe to use. I don't need to understand intimate details about strengths of materials, bending moments, and energy absorbtion to know that a car is unsafe if its gas tank is likely to explode in a collision. In the same way, I don't need to understand the details of exploiting a buffer overflow to know that a browser which is known to compromise a user's personal information is unsafe.
Flamebait? Call it whatever you like, but if people spent 1/10 as much effort making sure they had a safe, effective, reliable computing environment as they spend to ensure the same about other aspects of their lives - such as their cars - there wouldn't be an IE as we know it today.
Re:This can't be serious (Score:3, Informative)
Well, yeah. Find anything with even CSS1 that does a remotely complex layout. For example, some guy put up a page describing how to do rounded corners on boxes in css. At least half of the css included in that thing is made up of IE workarounds. Some of those workarounds exploit IE CSS parser bugs in order to get different stuff in the engine to get it to render like everything else.
I use two different browsers with two different
Re:This can't be serious (Score:3, Insightful)
There are no such standards for computer software. The few standards organizations that do exist (in this case, W3C would apply, as well as IETF and perhaps a few oth
Re:This can't be serious (Score:5, Insightful)
- Stop interpreting those spam-friendly
http://2343455/ urls
- Stop interpreting scam-friendly
http://ebay.com:url@123456/ urls
- Stop whining when browsing to a site that has AX disabled. A small icon is ok; a dialog box 'you are getting a worse experience is not.
- Make it possible and easy to fully uninstall outlook express. you cannot even delete this on XP; system recovery brings it back. Ugly manual hacks last until the next critical upgrade gets forced on the machine, at which point it reappers.
- Crank up the security settings for everyone who isnt using win2k3
- Rebuild IE with VS.net 2003 and set the 'check for buffer overflows' flag in the build.
- Stop integrating Windows Scripting Host with IE. Every IE install forcibly adds
.js, .vbs and .wsh file extensions to the path and enables their execution. I have to rebind these to notepad on my machines.
- Give us a no-images options for the email zone.
There are probably lots more of these things to do. All I see for the current user base is after-the-fact bug fixes rolled out intermittently, not attempts to address fundamental problems.Don't worry folks, Microsoft isn't a monopoly! (Score:5, Interesting)
Any time one piece of software from one company can be responsible for such negative impact on our lives because of how poorly it was designed, while still remaining far and away the dominant product in its category in spite of superior software being readily available, that's a sign that the ill effects of monopoly power are at play.
Re:Don't worry folks, Microsoft isn't a monopoly! (Score:4, Insightful)
And that the competition has no marketing ability. Not to harsh on your mellow or anything, but do you really believe technical superiority is what wins over the masses? Drop a billion or so per year on marketing and then see how your favorite browser does in terms of marketshare (or any software for that matter).
It is not enough to tout the technical advantage. You have to have someone who can translate into simple terms so Ma and Pa Walmart can understand that. Advertising is not about telling the truth, per se, but rather about making things look good regardless of any other factors. That's what Microsoft excels at (well, that and backroom deals).
The point of all this is: Microsoft may be a monopoly, and they may wield that power ham-handedly, but the competition let them get their by making assumptions that weren't true, namely that technical ability would actually mean more than it does to the public.
Re:Don't worry folks, Microsoft isn't a monopoly! (Score:2)
Re:Don't worry folks, Microsoft isn't a monopoly! (Score:3, Insightful)
How about we wait until Lindows and Mozilla have 93% of the desktop market before answering that.
MSFT is the only convicted monopolist with a known insecure desktop that I can see.
Integrati
Re:Don't worry folks, Microsoft isn't a monopoly! (Score:2)
Re:Don't worry folks, Microsoft isn't a monopoly! (Score:2)
Re:Don't worry folks, Microsoft isn't a monopoly! (Score:2)
"A billion here, a billion there... (Score:2)
The whole point of Microsoft's conviction under the anti-trust laws is that that statement is false. People bought other products and the browser was strapped to them (shafting SpyGlass systems en passant).
Microsoft claim(ed) that Bad Things would happen if you used a different browser with Windows (kind of like a car manufacturer saying "if you run your car on any other oil, it will blow up"
Re:"A billion here, a billion there... (Score:2, Insightful)
Netscape wanted to 0wn the net and they riled up Microsoft and now Microsoft sorta 0wns it instead.
I'm not sure either would have been a good thing, but I know there wasn't anybody involved who was a nice guy.
Re:Don't worry folks, Microsoft isn't a monopoly! (Score:2)
You're kidding, right? Your "marketing" could consist of $500 cash to anyone who replaces Internet Explorer with ANY other browser of their choice, and fewer than 10% of computer users could succeed without help.
Microsoft has captured nearly 100% of the browser market by abusing their operating system monopoly. Virtually everyone uses IE because it comes bundled with Windows, plus Microsoft illegally prevented other companies from preinstalling other browsers. Microsoft strangled competitors
Re:Don't worry folks, Microsoft isn't a monopoly! (Score:2)
If they advertised it, people would use it.
Re:Don't worry folks, Microsoft isn't a monopoly! (Score:2)
Re:Don't worry folks, Microsoft isn't a monopoly! (Score:5, Insightful)
No, it's a sign that Mozilla needs a PR firm.
Face facts: Lots of stuff that has been popular over has had a superior alternative. Newton/Palm. GameBoy/GameGear/Lynx/Nomad. Beta/VHS. USB/Firewire. Etc. You don't need a monopoly for that situation to be created.
Now, in this case, we do have a monopoly that puts IE in front of the users. Worse, IE does the job quite well. If you asked the average user out there what could be done to make IE better, the answer would not be "Tabbed browsing!". Why? Because they've never heard of that!
Cripes people. There are no commercials on TV about Mozilla or Opera. There are very few (if any) hints to Mozilla's existence on the mainstream news. You have to visit Slashdot to be blasted with Mo's zealotry. So tell me, how's anybody even supposed to know it exists?
Spare us the MS blame game. There are things that competing browsers can do that they simply aren't. When those avenues are exhausted, you can draw one of two conclusions: 1.) Microsoft has an impenetrable monopoly on the browser market. or 2.) The market has decided they like IE better. In the first case, you can bitch and moan. In the second case you can improve Mozilla.
Re:Don't worry folks, Microsoft isn't a monopoly! (Score:2)
Contrary to your claim, most technical/power users are fully aware of Netscape 7 at least, and aren't really all that impressed."
That's because it was slow, bloated, and generally sucked. Nobody around here is touting Netscape 7 either. If you can't get the 'informed' people to use it, then there's something horribly wrong with it, now isn't there?
So, to paraphrase... (Score:3, Insightful)
What were the reasons against a monopoly that my economics teacher tested me on again?
bravo pivx! (Score:4, Interesting)
First, they applied the pressure to help force microsoft into fixing the software.
Second, they are now giving microsoft some slack (negative reinforcement?) for trying to fix its browser.
Bravo guys!
Plus, these guys are hiring! [pivx.com]
Re:bravo pivx! (Score:2)
Where do we go from here? (Score:2)
Time to split the browser from the OS (Score:2)
Wow, great! The internet as a whole thanks you! (Score:3, Funny)
For the good of the internet as a whole!
In Other Words (Score:2)
Meaning we were bought off by M$.
Re:In Other Words (Score:2)
why not go the extra mile? (Score:2)
Good point. Anyone got some mod points to spend? (Score:2)
Huh? (Score:2)
Right. (Score:2)
Anyway, IE is too much a part of our lives for it be easy for us to know exactly what risks we are exposing ourselves to by using it. Enough negative PR is enough.
Ignorance is strength!
I smell a rat... (Score:2)
Any time Balmer screams 'uncle' it makes me want to turn the screws tighter - not let off...
I had to read it twice (Score:2)
What a load of shit, and what a way to lose one's credibility.
motive? (Score:2)
Think about the similarities (Score:2)
Microsoft's recent positive actions (Score:2)
(C'mon, guys, you have to say it more often to really get the "mantra" feel...)
Don't ask, don't tell all over again (Score:2)
I myself recently changed over from IE to Firebird, as I was just too fed up with the system slowdowns, the lack of feature advancement, and the glaring holes IE has. I had to learn about these issues the hard way. How do you expect Mr. and Mrs. Average User to make any sort of informed decision about their situation and vul
A Larger Problem (Score:2, Interesting)
Why aren't other pages keeping track of unpatched vulnerabilities in other software? Well, have you ever tried to match up the CVE database with patches? It's difficult. I don't know anyone who can answer how many unpatched vulnerabilities are present in W2K, XP, and the like. Has to be boatl
A short history of IE vulnerabilities: (Score:3, Informative)
A short history of vulnerabilities reported by PivX:
- June 18, 2002: 18 vulnerabilities
- August 8, 2002: 22 vulnerabilities
- September 9, 2002: 19 vulnerabilities
- November 19, 2002: 32 vulnerabilities
- December 9, 2002: 19 vulnerabilities. (Microsoft fixed 15 on Nov. 20, but two new ones were found.)
(From my article: Windows XP Shows the Direction Microsoft is Going. [hevanet.com]"Good-faith reprieve" (Score:4, Interesting)
It has been proven time and again and again and again that vendors, especially monopoly vendors, will not fix their systems in a timely manner unless they're pressured to. And by "timely manner", I mean within four weeks.
The last five or six MS security bulletins I've seen had lapses of between SIX AND NINE MONTHS between the reporting of the problem and the release of the patch.
So two things:
1) If Microsoft doesn't fix all the currently-known vulnerabilities within six months, somebody should take it upon themselves to start tracking them again
2) If Microsoft can't get their act together and release patches for new vulnerabilities in a timely manner (instead opting to waffle for six months while real people's systems are getting exploited because MS is _never_ the only entity to know a vulnerability, and it's almost guaranteed that somebody with nefarious intentions does), then somebody should take it upon themselves to start disseminating as much information as is required for *real* preventative measures to be put in place
I'm all for giving them one more chance, but I'm not willing to sacrifice my clients' systems by changing my standards for this "chance". They either do what they should do, or they have to deal with me telling my clients exactly what they need to do to protect themselves from a given vulnerability - and that information would almost certainly be enough for a black-hat to use if it ever got leaked.
If you think my standards are too high, consider that other vendors whose software is used on systems which literally control life-or-death systems often release fixes within hours and days, not weeks and months.
Re:"Good-faith reprieve" (Score:2)
How can 4 weeks be considered a reasonable amount of time to fix a bug and issue a patch when IT people who merely DEPLOY the frick'in patch complain that 4 weeks isn't enough time to deploy a patch?
I'm all for quick turn around, but I wish people would be a bit more consistent with thei
Re:"Good-faith reprieve" (Score:3, Interesting)
Most of my clients have a few hundred computers. When it's important, they'll usually get a patch deployed on every machine in a few hours (work split between a halfdozen people).
There are tools that scale very well. One of my clients has 4,377 servers (just looked that up), and somewhere around 14,000 wor
Normal people have never heard of Mozilla (Score:3, Interesting)
Why isn't the most important reason given? (Score:2)
As you know Microsoft has just released a new patch MS03-040, which renders several IE vulns obsolete. We are presently testing the efficacy of the vulns reported to be fixed and we can report that MS03-040 is doing the job it was intended to.
So why was that left out? Reading the summary I just thought that these people were being nice guys to Microsoft, and not that Microsoft actually addressed and fixed many issues with IE.
One sided journalism?
Re:Why isn't the most important reason given? (Score:3, Insightful)
One sided journalism?"
Ah, new to Slashdot?
This is exactly the reason that so many 'Microsoft Apologists', as they're affectionately called here, argue with popular opinion. Simply put, you really have to RTFA with stories about MS because they ALWAYS have the worst possible spin here. As a result, people come out and
Re:Why isn't the most important reason given? (Score:4, Interesting)
That releasing a patch removes the need to know about the outstanding vulnerabilities is simply nonsense.
Which IE vulnerabilities are rendered obselete by the patch? Which remain? "Several" is not "all". It's quite likely not even "most". Which ones are still there? Well, suddenly pivx aren't going to tell us.
It's dark. You are likely to be eaten by a grue.
Charles Miller
Hacked (Score:2)
Reprieve (Score:2)
They don't give a timeline for how long it will take for Microsoft's complete lack of action in fixing its crappy software before they become so pissed off that the put the page back up.
I'd like to make a suggestion!!! (Score:2)
This is a mistake (Score:3, Informative)
google to the rescue! (Score:2, Redundant)
Condition of settlement... (Score:2)
Translate: "It was a condition of our settlement with Microsoft that we make it sound like we took this down of our own volition".
Security Through Obscurity (Score:2)
Oh well... (Score:2)
Everyone ... (Score:2)
I'm sure some of them are going to sue MS for not letting them own a leaving
Hrm (Score:2)
I'm not one to believe in conspiracy theories, but it's not my perception that IE has been doing much better. I do wonder what part, if any, Microsoft had in this.
It's not that I'm lazy (Score:3, Interesting)
I am a web designer, and I am fully aware of the problems with IE - security and otherwise. But personally, I really don't care about its vulnerabilities. My job is to make my web pages look correct in maybe this version and a few versions back of IE, but that's really it.
Ok. So you can take over my computer with a web page. Well, I'm not going to YOUR web page.
My email filters out spam. Not going. I don't look for warez, don't check out pr0n, don't download any hip new software.
I DO go to my bank's web site and look at my balance, read
I know it's not a safe way to live, and I think that if my computer were destroyed right now I'd shrug and say "meh." And then build another one.
Maybe others feel the same?
Re:It's not that I'm lazy (Score:4, Insightful)
That doesn't help much. The recent QHosts malware (which used one of the 31 unpatched IE holes to install itself) was distributed via a banner ad. You don't have to visit $badguy's web page if $badguy has hacked into one of the web sites you do visit, or if he can use the commercial banner ad network to serve up his exploits.
Be a part of the solution: use Free Software. (Score:3, Interesting)
From the site:
Try Mozilla [mozilla.org] or Konqueror [konqueror.org] instead--two fine free software web browsers (and there are many others). Then consider switching to a free software operating system so you don't bump into holes in other applications and have to wait for the proprietor to fix them for you. If you want to inspect, copy, distribute, or modify free software programs you can do so (or get someone else to do so for you). Freedom is really worthwhile.
Re:One of my favorites (Score:2)
Re:One of my favorites (Score:3, Informative)
Yes, I cheated so I could pass W3C validation. They're called conditional comments [microsoft.com]. If I wasn't using conditional comments, the code would not validate, but IE would still crash, and other browsers would not crash (although they would show a form field, defaulting to type="text").
Re:One of my favorites (Score:2, Insightful)
Re:One of my favorites (Score:2)
Re:One of my favorites (Score:2)
Re:One of my favorites (Score:2)
Here's mine [mytsoftware.com], which crashes older IE and Mozilla browsers with the input type and fieldset bugs, and attempts to handle the rest with a popup flood.
Re:One of my favorites (Score:2)
nice try.
Re:One of my favorites (Score:3, Insightful)
Re:One of my favorites (Score:4, Interesting)
This is both under Windows, but it shouldn't matter. The important part is new Packages.sun.plugin.javascript.navig5.JSObject(1,1 ) which, obviously, shouldn't crash the browser. I think this is really a problem with the Java plugin, but I can't guarentee that. (So this may really be a plugin problem, not a Mozilla problem. Or it may be a Mozilla problem with the Javascript/plugin interface. I don't really know.)
Re:But you can get Moz to crash with it (Score:2)
Re:But you can get Moz to crash with it (Score:2, Interesting)
Re:But you can get Moz to crash with it (Score:3, Interesting)
Am I the only one (Score:2, Interesting)
Am I the only one who read "IE Vulnerabilities Removed"? I knew it was to good to be true...
That's funny, but jokes aside,
I believe this is what Microsoft should be doing, id est removing the vulnerabilities themselves, not merely the discussion about them. Those greedy bastards have so much cash that patching IE should take them less than 6 weeks. So I am asking: why aren't they doing that? Is there any Microsoft employee reading this who could answer my question? I surely hope so.
Obligatory sell out reference (Score:2)
"Of course we werent 'asked' to take it down, It was suggested, and encouraged with large ammount
Solutions? (Score:2)
Re:Obligatory sell out reference (Score:2, Interesting)
Hopefully it'll be up in a few days. No URL yet. This knowledge must be available to people.
Re:translation (Score:2)
That said, I also have no evidence that it didn't happen just the way they are saying. But their assertion don't mean *anything*, either plus or minus. Too many precedents where t
Re:Uh? (Score:2)
Tim
Re:the ubiquitous browser? (Score:2)
HSBC's online banking works flawlessly with both Safari and Camino on OS X, plus they give me rally good student deals on loans, overdrafts and cheap rail travel in the UK.
There's a lot to be said for keeping your customers happy. The trend that has emerged far to often with businesses lately has been "fuck the consumer, profits are king" and HSBC (at least when dealing with me) has been nothing but helpful at every turn.
Re:the ubiquitous browser? (Score:2)
I don't agree.
Most major banks definitely seem to have a definite 'profits are king' attitude. Student accounts are often a pretty good deal, but most people I know who were students got to see a bit of a different side after they graduated or dropped out. I've heard rather a lot of criticism of HSBC..
Personally I've had very good luck with Smile (Co-op's online bank, better interest rates than their main bank but they don't send statement
Re:the ubiquitous browser? (Score:2)
HSBC gave me either 50 or a 4 year student railcard (worth 70) as a sign up incentive for a student account and over the three years at uni I shuttled back and forth to London countless times, easily savin more than the 50 cash incentive.
They were very helpful when I lost my job during university and extended my free overdraft temporarily while I waited for my next loan installment from the Student Loans Company.
They have also been excellent post-university,
How true you are, mon ami, how true (Score:2)
No. (Score:2)
Re:Depend? (Score:2)
1) Download Firebird, no, really, it rocks. It's small and loads fast...plus you get tabbed browsing, popup blocking and any little XUL plugins (like the very useful realtime CSS editor)
2) Change the internet explorer link to point to Firebird, whilst still keeping the IE logo. Now, whenenver you click on IE, Firebird comes up instead!