Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Security Operating Systems Software Windows Internet Explorer The Internet IT

IE Flaw Puts Windows XP SP2 At Risk 227

Posted by CowboyNeal from the double-your-pleasure dept.
Zigor writes "CNET is reporting that a new flaw has been discovered in Internet Explorer that could enable a remote attack on systems running Windows XP with Service Pack 2, eEye Digital Security has warned. The discovery of this IE flaw comes just over a month after Microsoft issued a cumulative patch addressing three vulnerabilities for IE. The new IE flaw also adds to another vulnerability, discovered last month, that affects systems using Windows XP SP2."
This discussion has been archived. No new comments can be posted.

IE Flaw Puts Windows XP SP2 At Risk More

IE Flaw Puts Windows XP SP2 At Risk

Comments Filter:
  • That the bigger problem is the platform IE resides on.
    • The bigger problem is how to neatly remove IE from Windows systems. I continue to believe that open source geeks can find a way to do this. Heck, so much has been done by open source programmers without M$ support at all. Do not be surprised when some geek releases a tool/utility to do just that.
      • Doesn't Microsoft demand you use IE to patch Windows? Sure you might make it a bit more secure by getting rid of IE, but you'll still need those updates (but I guess you can illegally download those off p2p, just have fun trying to avoid the viruses as well).
        • No. You need IE to use windows update, but all of the patches are downloadable as .exe or .msi installers. The problem is that when you use the files, there's no good way of knowing which one's you've installed and which ones you haven't. That's what makes windows update so useful.

          • Re:Most Will Agree...But No... (Score:5, Informative)

            by GlassUser ( 190787 ) <slashdot@glassuG ... r.net minus poet> on Saturday September 17, 2005 @12:17PM (#13585068) Homepage Journal
            You should consider the Microsoft Baseline Security Analyzer [microsoft.com]. It will scan your computer (hell, it will remotely scan all the computers on your domain if you want), tell you what you have or don't have, and give you links to the download.

            • Re:Most Will Agree...But No... (Score:3, Funny)

              by Anonymous Coward
              Weee Micros~1 Genuine Advantage REQUIRED to download the tool.

              Fucking nosy bitches at Micros~1, when is it enough?
            • Does that work without IE?

              It looks like it uses IE for rendering to me.
            • Hurrah, I passed everything according to the tool. But did I really pass...I'm not sure I sleep any more soundly knowing that MS thinks I am secure. As Reagan used to say "trust, but verify".

          • Re:Most Will Agree...But No... (Score:4, Informative)

            by Anonymous Coward on Saturday September 17, 2005 @12:27PM (#13585136)
            This is so easy, why make it so hard?

            Turn off ActiveX, infact turn off everything in IE (scripting, install, etc) in the "internet" zone.

            Now, the easy part: add microsoft.com to the "trusted sites". In fact, if you surf to the windowsupdate site with activex turned off you get the message of exactly what to add to "trusted sites".

            Sleep easy knowing that (a) windows update works (b) nothing else works. Happyily use Mozilla for your web browsing.

      • Re:Most Will Agree...But No... (Score:5, Informative)

        by baadger ( 764884 ) on Saturday September 17, 2005 @12:11PM (#13585045)
        This has been discussed before and seems to start flamewars.

        Yes there is a way to remove the IE engine from Windows 2000's installation files (and indeed integrate IE6 into them, since 2000+SP4 comes with IE 5).

        The method of doing so is here [vorck.com]. However it breaks things such as Windows help, Windows Update and lots of miscellaneous parts of the OS. For me atleast, it made the OS almost unbareable, introducing alot of annoyances. Although to be fair, I followed the post-install instructions...in theory, pre-install removal should be smoother.
    • True, partly.....You can still write programs on Windows which can be secure.

      IE is insecure coz it tries to do much more than what it should (ActiveX etc). It tries to go beyond being a browser and tries to give a "whole user experience", which is why its tied a bit deeply into the OS (possible to remove though, as another poster said)

      A basic design policy of programs should be that they should stick strictly to what they are supposed to do. If they try to be oversmart, they end up like this.

      PS: I do agree
    • At least they are learning ... ( User Account Protection [microsoft.com])

      Over the last several years, a number of viruses and worms have been directed at Windows. These attacks have cost our customers, both in the enterprise and home environment, significant amounts of money to remediate. Additionally, a variety of malicious software, especially SpyWare, is being installed or launched by unsuspecting users. Malicious software is even being built into otherwise useful and seemingly innocuous software.

      In both cases, our con

    • Re:Most Will Agree... (Score:4, Interesting)

      by callipygian-showsyst ( 631222 ) on Saturday September 17, 2005 @01:52PM (#13585605) Homepage
      That the bigger problem is the platform IE resides on.

      Actually, I don't agree with that at all. Windows XP has a complete, robust security model. However, Microsoft made some bad choices, like letting the default account on XP Home have administrator rights; and granting execute permission by default (without having to explicity have an admin set the execute bit) to newly downloaded files. Most of the problems XP has are at the application level, not the core OS level. I can't remember ever seeing a privilege bug that had to do with core OS functionality.

    • the IE is the platform. the IE is highly integrated into windows.
    • No I totally disagree... I've made this statement before and I'll make it again, the issue is that people run their desktop under an administrative account... which means when rogue code enters your system it has free will to do anything.

      Firefox/Mozilla has had some recent security issues... and if you run an administrative desktop, which um, 99% of SOHO users do, then Mozilla can be just as bad a proxy for malicious intent.

      The reason Mac OS X users have been able to enjoy a life free of viruses is because
      • the issue is that people run their desktop under an administrative account... which means when rogue code enters your system it has free will to do anything.

        Running under a non-admin account may save some time reinstalling but unless you are prepared to split yourself into multiple users for different tasks (which is more of a pain than i suspect most users will bear) thats about all it will do.

        and remember on a linux system if someone comprimises your user account its fairly easy to set you up with a local
        • Yes you are right... it's more than what people will bear... but life's a bitch. I sure as hell don't run processes that talk on the Net with administrative credentials.

          And it's trivial to run programs with admin credentials on a non-admin desktop. Truly trivial. It's just that users don't know how to wipe their a**, nor want to learn.

          Unlike a TV or a toaster, you hear many analogies about how a computer should be easy to use like them, a computer runs software systems that are highly dynamic and require ac

  • You're kidding! (Score:5, Funny)

    by wealthychef ( 584778 ) on Saturday September 17, 2005 @11:51AM (#13584917)
    A security flaw in Internet Explorer! Stop the presses! Oh my God! This is such BIG NEWS!

    • "All you need to do is patch or buy the upgrade" (Score:4, Interesting)

      by Anonymous Coward on Saturday September 17, 2005 @12:18PM (#13585083)
      We hear constantly the mantra "All you need to do is patch or buy the upgrade" from MS apologists, salesmen, astroturfers and fanbois. Yet, every few weeks there is yet another article about some flaw or other that, like this one, can take out fully patched, recent versions of MS Windows. This is not big news

      What is big news is that memories are so short that every time such a problem is publicized, it is quickly forgotten and we all go back to bleating the mantra "All you need to do is patch or buy the upgrade". Seriously, continuing to treat security problems simple as PR issues eventually crosses the line of fraud (from an economic view) or sedition/sabotage (from a nationalistic view).

      • Seriously, continuing to treat security problems simple as PR issues eventually crosses the line of fraud (from an economic view) or sedition/sabotage (from a nationalistic view).

        Oh, come on, why can't you just patch or buy the upgrade?

      • Talk to a security-concious sysadmin of a Linux box. Patching is critically important for ALL software, regardless of its overall security. That's not PR, or fraud, or sedition, or sabotage.

        Yes, Windows should be brought to task for its higher rate of problems. But its quality isn't so bad that it's legally actionable.

    • stop the presses! (Score:5, Funny)

      by Andy Gardner ( 850877 ) on Saturday September 17, 2005 @12:22PM (#13585103)
      Homer: OK, Start the presses.
      Editor: That takes four hours...
      Homer: Whatever, I'll be at Moe's.

    • Re:You're kidding! (Score:3, Informative)

      by Anonymous Coward
      Indeed. The proper title would be: "IE puts Windows at risk".

      Ditch IE, and all the spyware and other crap stops being an issue. I see so much people arguing over which spyware scanner is the best, like if it's a normal thing to have to scan your system for spyware everyday in the first place. Just like people arguing over the best tire repair kit, seemingly thinking it's normal to have a flat tire everyday.

      Don't use IE (lots of alternatives, including firefox and opera), and all these scanners will find is

      • Re:You're kidding! (Score:3, Insightful)

        by Xarius ( 691264 )
        like if it's a normal thing to have to scan your system for spyware everyday in the first place.

        It's not necessarily a normal thing to be mugged, but we have police and whatnot just in case it does happen. It's an unfortunate truth that we live in a world where we can't trust one another.

        Best to take precautions, even though they wouldn't be necessary if everyone played nice.
        • So, you get mugged every week(get infected) and you keep reporting the event to the police(spyware scanner) who may or may not do something about it and you still repeat the same action over and over again?

          A sensible person secures its neighbourhood (hw firewall/router), goes doing some bodybuilding and gets some self-defense stuff (linux), or the paranoid ones will go out in a tank, in a full body armour and a huge personal armoury inside the tank, while going to kung fu school to Pai Mei (openbsd).
        • It's not normal to get raped, but if you walk down the street in a bad neighborhood wearing a skimpy leather outfit and assless chaps (male or female), and a t-shirt over the top that says "I do anal", you takes yo chances.

          It's still the fault of the attackers, but come on. Put some damn pants on and use Firefox.

  • Pfew! (Score:5, Funny)

    by Mr2cents ( 323101 ) on Saturday September 17, 2005 @11:52AM (#13584928)
    Luckily I didn't install SP2!

    • Re:Pfew! (Score:4, Funny)

      by __aaclcg7560 ( 824291 ) on Saturday September 17, 2005 @12:02PM (#13584998)
      Luckily I didn't buy a PS2! :P

    • Re:Pfew! (Score:2, Interesting)

      by iethree ( 666892 )
      I too have not yet installed SP2. I was about to the other day, but now i'm glad i didn't. I'll wait a few more months till they've released a few more patches for the patch in the swiss cheese OS.

      • Re:Pfew! (Score:5, Funny)

        by jacksonj04 ( 800021 ) <nick@nickjackson.me> on Saturday September 17, 2005 @12:32PM (#13585168) Homepage
        Since I can't tell if you're being sarcastic or not:

        Install SP2 now. What are you doing waiting to install a set of patches? There are no issues with SP2 and 99% of users, except that it might put an extra dialog box in the way of doing something stupid. Not to mention all those horrible security fixes and automatic updates on by default.

        This new issue is not worth leaving your system unpatched for, if anything it's exactly the kind of thing that SP2 forced updates to be on by default for.

        • Re:Pfew! (Score:2, Flamebait)

          by Bert64 ( 520050 )
          sp2 also makes the whole thing run considerably slower.. and causes incompatibilities with certain (admittedly poorly written, but your running them on a poorly written os too) apps..
          The best solution, would be to uninstall the affected software and replace it (or not use it atall, not all machines need a browser) but ms makes that as hard as possible to do.

          • Re:Pfew! (Score:3, Informative)

            by Snover ( 469130 )
            Can't say I ever noticed a particular degree of slowness with SP2 installed. Disable NX and disable the Security Center service and you've got Windows XP SP1 with all updates applied. :)

  • Is The Honeymoon Still Over? (Score:5, Interesting)

    by TheRaven64 ( 641858 ) on Saturday September 17, 2005 @11:53AM (#13584932) Journal
    I presume we are still to believe that FireFox is less secure than IE, because it has had more vulnerabilities discovered recently? My favourite quote:
    Because the details of the vulnerabilities have not been made public, users are not at risk of an exploit being developed to take advantage of the flaw.
    • ``I presume we are still to believe that FireFox is less secure than IE, because it has had more vulnerabilities discovered recently?''

      It begs the question though: how much effort is being put in finding flaws in Microsoft software, and how much effort is being put in finding flaws in other software? I know that Windows is to security as a submarine is to a sponge, but what about a default Ubuntu install?

      My laws of security:

      - Windows is so insecure it has become unusable.
      - There's no way of

      • Re:Is The Honeymoon Still Over? (Score:5, Insightful)

        by TheRaven64 ( 641858 ) on Saturday September 17, 2005 @12:24PM (#13585118) Journal
        - Any software written in unsafe languages (notably C) is bound to contain vulnerabilities

        I would advise you to read this essay [dovecot.org]. Being written in an unsafe language does not intrinsically make something insecure - it just makes it a bit harder to write secure code. Likewise, a bad coder can write insecure code in a safe language.

        • I don't know if you or the essay author realize it, but the essay proves the grandparent's point more than yours. The opening statement is, "The more you have to remember to maintain security the easier it is to forget something." The author then goes on to show a long list of things that must be remembered in a C program in order to maintain security.

          Yes, it is possible to write secure code in an unsafe language, but it is a lot more than "a bit" harder. Any talented programmer almost instinctively kn


    • Because the details of the vulnerabilities have not been made public, users are not at risk of an exploit being developed to take advantage of the flaw.

      This is mostly true. Usually people who exploit such security flaws find about about them by reverse engineering security updates. Windows is such a large system (Tanenbaum says millions of lines of source code went into Win 2k itself), that it will be very difficult for many not-so-bright-hackers to look for exploits without, ironically, some help or hi
      • Usually people who exploit such security flaws find about about them by reverse engineering security updates.

        I'm curious; what makes you say this? This may be true for the script kiddies out there, but aren't brighter hackers (of the sort that find the problems in the first place) more likely to target their attacks to more specific/profitable victims, making them far less detectable?

    • Re:Is The Honeymoon Still Over? (Score:2, Funny)

      by Anonymous Coward
      From $100 Million Marketing Push For Vista: With the longest gap ever between major releases of Windows operating systems -- the current version, Windows XP, was launched in late 2001

      And it seems Windows XP was never finished! Maybe they should make one decent product before they move on.

  • Sex sells. (Score:3, Insightful)

    by Anonymous Coward on Saturday September 17, 2005 @11:56AM (#13584955)
    So try to look at this site http://www.thelovesearch.com/ [thelovesearch.com] using Microsoft
    Internet Explore. It will try to convince your to use Firefox using
    sex appeal.

    If we could convince all porn sites to only support Firefox the battle
    would be won in a few weeks.

    Or am I dreaming now ??

  • Oh, but it's Firefox that's the unsecure browser (Score:3, Interesting)

    by aussie_a ( 778472 ) on Saturday September 17, 2005 @11:57AM (#13584957) Journal
    At least according to slashdot anyway [slashdot.org].

    IE is unsecure, and it's insecurities are compounded by how much it is tied in with Windows.

    Issuing patches is just playing catch-up in a game that Microsoft will never win. However addressing the fundamental problems (such as how much IE is tied into the operating system, not preinstalling every Windows installation with IE) IE's problems will always be larger.

    • Re:Oh, but it's Firefox that's the unsecure browse (Score:4, Insightful)

      by wealthychef ( 584778 ) on Saturday September 17, 2005 @12:14PM (#13585059)
      The fundamental problem is not how much IE is tied into the operating system. The fundamental program is that, as another poster has said, the operating system it is tied to violates the principle of least privilege repeatedly in a way that more secure systems do not, and security is layered onto it instead of being built into it, making securing it an eternal effort consisting of filling holes that never go away. A big part of this is the whole concept of ActiveX.
      If IE were not tied into the OS, MS would find another way to force "remote administration capabilities" on users without their actively enabling them, which is what most of the problems stem from, I think.
    • I've heard that after reading that article, Steve Ballmer has been throwing another chair around the office, claiming that they "must close the insecurity gap with Open Source"

      So they put a couple of DEVELOPERS DEVELOPERS DEVELOPERS DEVELOPERS on it (freshly pulled of that Vista thingy), in the hope to have IE once again become market leader in security flaws.

      Looks like they are catching up quickly.

  • What is THIS?! (Score:5, Insightful)

    by the_skywise ( 189793 ) on Saturday September 17, 2005 @12:02PM (#13584997)
    A Microsoft representative confirmed that the company had received the report from eEye and said it will be investigating the issue. Because the details of the vulnerabilities have not been made public, users are not at risk of an exploit being developed to take advantage of the flaw, the representative said.

    What kind of STUPID commentary is that? I mean, geez, why doesn't Microsoft just come out and say that the "peekaboo" method of virus security is a valid defense! "nyah, nyah, my hands are covering my eyes so the exploit can't harm you!"


    • > What kind of STUPID commentary is that?

      The completely predictable attempt at damage control by the spokesman for a corporation that got caught screwing up.

      Any more questions?

    • You might want to ask the Mozilla folks about that as well... it seems they've taken to "quarantine" vulnerability details until after a patch has been released. Well, that's when they can. Sometimes someone will release the details without giving them a chance to hide the problem until they can fix it. And of course afterwards they whine about it. Does that remind you of someone?

      Firefix is still a safer browser than IE, and even moreso because it's not so deeply encrusted into the operating system. But t

      • Credibility? Aw, c'mon...

        There is a difference between not publicizing the vulnerability and having your PR-droid say "We have not publicized the details of the vulnerability are not public so there is no fear of attack".

        One is questionable prudence, the other is just downright lying. If one white hat security firm can figure it out, how hard can it be for hundreds of black hat exploiters and spammers to figure it out?

        To wit, I wouldn't have bothered posting if Microsoft had just said, "We are aware of th
    • Because very few people know how the exploit actually works, I don't think we'll see a security issue in the very near future.

      If you have Automatic Updates running in Windows XP (which the Security Center in Windows XP wants you to do), once Microsoft releases the IE patch it will be automatically installed on your system (or at least notified automatically of the update).

      I expect the patch to be ready probably with the next week or so, since Microsoft takes browser security very seriously nowadays; the com

  • The Real News (Score:5, Informative)

    by TheRaven64 ( 641858 ) on Saturday September 17, 2005 @12:03PM (#13585005) Journal
    I think the real news is not the fact that there is a new vulnerability, but that (from the second link) there are still 12 unpatched vulnerabilities allowing remote or arbitrary code execution found by one organisation. The oldest of these was reported in March.

    • Re:The Real News (Score:3, Interesting)

      by RLiegh ( 247921 ) *
      I don't think that's the real issue; after all, I'm sure you can probably find bug reports older than march in the firefox/mozilla code. The real issue, as has been pointed out, is that because of how closely IE is tied into the OS (unlike firefox), any bug in IE becomes a security risk.

      • Re:The Real News (Score:3, Insightful)

        by Bert64 ( 520050 )
        There are many older bug reports relating to mozilla, but the security related ones get fixed quickly atleast, especially the ones serious enough to allow remote code execution.

  • guess what.. (Score:4, Interesting)

    by brajesh ( 847246 ) <brajesh DOT sachan AT gmail DOT com> on Saturday September 17, 2005 @12:04PM (#13585015) Homepage

    Protection for the said vulnarability [eeye.com] is already provided by eEye : Blink Endpoint Vulnerability Prevention [eeye.com]. hmmm...

  • An ounce of prevention? (Score:4, Insightful)

    by shoolz ( 752000 ) on Saturday September 17, 2005 @12:06PM (#13585019) Homepage
    We see this cycle of exploit > patch repeat itself ad nauseum. Microsoft seems to react to every exploit or windows security failing by Would it not make more sense to be proactive and just outright buy a security company, or at least buy their services to just beat the shit out of Windows 24/7? This way, most flaws would be known first to MS, and could be patched before they become widely exploitable.

    What the fuck am I missing from this equation? Never mind the snappy responses about how M$ are greedy bastards... from a business perspective, why the hell hasn't some top level big-wig at MS pushed for this?

    • Simple, is it possible? (Score:5, Interesting)

      by SmallFurryCreature ( 593017 ) on Saturday September 17, 2005 @12:38PM (#13585201) Journal
      Security is hard. Impossibly hard the moment you allow humans to enter the equation.

      Security is after all about restricting access. Most extreme way to keep a computer safe is to make it impossible to access. Want a safe websurfing session? Easy just take out that little cables in the back of your computer, the power, the network and the keyboard one would do for starters.

      But that kinda security doesn't work because we want things to be easy. What is an often heard complained about windows vs unix security? That by default windows has the user logged in as root, the defence being that users don't want to have to type in a password just to install software.

      MS could easily introduce unix like root-user seperation, they used to be a unix company after all. Some linux distros make it very clear when you run your desktop as root and some IRC proggies even flatly refuse to run when you are the root user. MS could easily do the same, refuse to access the net when running as root, force the user to get software under their normal account then install it from the root account, this would force the user to think for a second.

      But they can't, that is not the product they are selling. MS wants to sell an OS that will just run. If a website needs the latest flash then that should just be installed without the user noticing.

      I don't think MS isn't aware of the risk this poses, I think they view this as the same way as credit card companies view the risk of how easy it is to abuse their card system. Or how easy it is to learn a 4 digit pin number. Would be very easy to make these multi billion dollar payment systems more secure. But it would also introduce a lot more difficulty that might reduce their usage.

      So MS probably has people who have a solution to this but it would make windows a lot harder to use, marketing might have a thing or two to say about it. Hell support might too, would MS really want to deal with all of its users suddenly having to learn the concept of user vs admin?

      In a way the public has the final say in wether windows ever becomes secure. The same public that buys SUV's wich are the most lethal vehicle on the road 4x times more likely to kill if you hit a pedestrian then other cars. The same public that flies with cutrate airlines offering flights at prices cheaper then the ride to the airport. The same public that still buys each new version of internet explorer after a decade of security alerts.

      So from a business perspective why doesn't some big-wig at MS does this? Because the big-wig wants to keep his job. Insecure windows sells, slightly more secure linux does not. It is not greed, it is common business sense. You give the customer what they want. MS is very good at that. Compare it with McD, they used to sell lard with flavor. They only added a few salades after customers started demanding them with their dollars. McD did not fight this, there had to be no legal battles. As soon as they noticed demand, they supplied. Sure they didn't supply it in say the 70's because a few leftie protestors does not equal demand. A bunch of guys at slashdot complaining does not equal demand to MS.

      • MS could easily introduce unix like root-user seperation...But they can't, that is not the product they are selling. MS wants to sell an OS that will just run. If a website needs the latest flash then that should just be installed without the user noticing.

        It is an often repeated fallacy that you cannot have ease-of-use unless you run as root. That's absurd. In Linux, I don't care if I'm root user or not 99.99% of the time. If I click on a control panel icon, and it needs root access, it prompts me f

      • Until MS include the customers costs in the costs to create and distribute a security fix you will never see a sensible security policy come out of MS.

        OTOH, until MS customers find ways to punish MS when it does something stupid MS will not change its ways.


    • > Would it not make more sense to be proactive [...] why the hell hasn't some top level big-wig at MS pushed for this?

      Because security flaws aren't affecting MS policy makers' ability to afford their lifestyle. MS will get serious about security the day it threatens to deflate certain peoples' wealth, and not a day sooner.

    • Why spend the money to find the flaws when people are doing it for free? Microsofts not losing anything, some schmos computer gets wiped by a virus and he goes out to buy a new computer complete with a new version (patched old version) of Microsofts latest OS. Some company gets riddled with holes and conveniently finds contracts for anti-virus/malware solutions from the same company who's OS they're using.
  • Ok, so now we get the news on the latest security vulnerabilities in Windows and other Microsoft software. Great. How about vulnerability announcements in popular software for *nix? I personally don't have any use for announcements for Windows vulns, because I don't use it anyway.

    So can we please get equal time share for *nix vulnerabilities, or, better yet, provide a way to filter out vulnerability announcements for software we don't use?
    • So can we please get equal time share for *nix vulnerabilities

      That doesn't make very much sense. It makes more sense to give time share based on the percentage of *nix users, also taking into account the amount of *nix vulnerabilities.

      Given those 2 criteria I'd say you do get your allotted share of time.

      provide a way to filter out vulnerability announcements for software we don't use?

      Here's a tip, don't click on the link and post to complain about the article. Glance at it (or use an RSS feed to
    • So can we please get equal time share for *nix vulnerabilities, or, better yet, provide a way to filter out vulnerability announcements for software we don't use?

      Your post is commendable for being one of the few that doesn't try to pass off as witty any of the cliche comments like "IE is insecure?", or "Microsoft sucks", or "They should never have integrated IE and Windows so tightly to begin with." On the other hand, if you're actually looking to Slashdot for bug and vulnerability announcements, then I

  • Open source enhances security of MSFT's customers (Score:5, Insightful)

    by FlorianMueller ( 801981 ) on Saturday September 17, 2005 @12:06PM (#13585023) Homepage
    I run various Microsoft programs (Windows, Office, VS.NET, but IE only when it can't be avoided), and still my biggest hope for better security with those Microsoft programs is on increased competition from open source.

    Security holes are quality issues. If Microsoft took only 10% or 20% of its annual profits, which are well above 10 billion dollars, and spent that money on additional security test centers and code review groups, then they could greatly reduce the number of critical flaws. Think of how many security experts and code reviewers they could hire for an extra 1, 2 or 3 billion dollars a year.

    Their .NET architecture with its managed-code approach would at least avoid those buffer overflows that allow for the execution of hostile code, but MSFT isn't too fast at porting its existing code base to .NET.

    The only way that MSFT will make the necessary investments is if they feel ever more competitive pressure. I personally don't intend to switch from the MSFT platform to anything else, but every Linux migration decision by some public administration or corporate IT department has the potential to indirectly make Windows and those other MSFT products more secure. It's too bad that the governor of Massachusetts, according to information from a pretty good source, prevented the state government from its plans to go for a Munich-style open-source migration. Those types of breakthroughs for Linux on the desktop are key, or otherwise those reports of critical security bugs in MSFT's programs will continue to be issued as frequently as these days. A near-monopolist can always get away even with serious security flaws.

    If MSFT doesn't get some more competitive pressure on the desktop, then their strategic focus will mostly be on how to compete with Internet powerhouses like Google and Yahoo, and console manufacturers like Sony.

    • Re:Open source enhances security of MSFT's custome (Score:5, Informative)

      by HerculesMO ( 693085 ) on Saturday September 17, 2005 @12:23PM (#13585109)
      I mentioned it in another article, but the key for Linux to breakthru to the desktop market is not for widespread adoption by corporate customers, it's just simple, plain old, EASE OF USE.

      I'm a pretty experienced computer user, EX-Windows developer (networking now), MCSE and while I can install Linux and get around it, I don't have a clue of an idea how to do a lot of things, including at times, install software (though I've figured that out with yum and rpm haha!). Either way... until Linux offers the eyecandy that OS X does, with the compatibility that Windows offers... it will still be the DESKTOP choice of nerds.

      I'm waiting for the next version of KDE for some improvements but in reality, I think there's a lot more to be done at even a kernel level to make some things more idiotproof.

      • > the key for Linux to breakthru to the desktop market is not for widespread adoption by corporate customers, it's just simple, plain old, EASE OF USE.

        Why do we want a Linux breakthrough to the desktop market? The only thing the GNOME attempts to do that have done for us is to dumb down applications by eliminating some features and making access to others annoyingly difficult.

        I'd rather see the Linux desktop evolve as a power-user desktop than as a competitor in the mass-market desktop.

      • You are an experienced Windows user. Thats not the same as an experienced computer user. An experienced computer user has been around long enough to have used most systems on the market and that includes unix.

        I can understand that some people find linux hard to use but im pretty confident that its mostly because they are used to do things "the MS Windows way". Surely linux could mimic Microsoft Windows down to the last pixel but that isnt really what most linux users want.

        According to my perception of thing
      • Actually, I have started to do dual booting Windows/Linux installs for my customers. "When Windows screws up - reboot into Linux and carry on working till I can get here..."

  • who posted this!!!! (Score:2, Informative)

    by mayhemt ( 915489 )
    Is this supposed to be news at all???
    come on...sun rises in the east...magnets point N-S...u dont publish that as news...
    note to mod: delete this discussion...
  • Has anyone here actually run their software? Thoughts?

  • The obligatory "IE sucks" comment... (Score:4, Insightful)

    by HerculesMO ( 693085 ) on Saturday September 17, 2005 @12:19PM (#13585090)
    I'll parlay it by saying that when Firefox has 'vulnerabilities' (as the genious in this article pointed out [slashdot.org]... at least it doesn't give the ability for an attacker to "enable a remote attack on systems running Windows XP with Service Pack 2".

    So I'll stick with my more numerous, less invasive, and quickly fixed Firefox 'vulnerabilities' instead of my IE's less in number, more damaging and slower to be fixed 'vulnerabilities'.

    Yup... IE sucks.

  • Real Comparison of IE and Firefox (Score:5, Informative)

    by Hamfist ( 311248 ) on Saturday September 17, 2005 @12:43PM (#13585239)
    Secunia has very informative pages about the relative security of IE and firefox.

    Firefox [secunia.com]

    IE [secunia.com]

    The problems with firefox compared to IE are:

    IE bugs are more frecuently critical
    IE critical bugs take longer to patch
    Fully patched IE is less secure than Fully patched Firefox

  • The Bug is Fixed: Download Patch Here (Score:5, Funny)

    by Chromodromic ( 668389 ) on Saturday September 17, 2005 @12:47PM (#13585251)
    You can download the patch below. They've done, actually, an impressive job with it because, by way of a "peace offering" to the Web community, they've incorporated quite a large number of features from IE7 and future releases far earlier than expected.

    The changes are actually pretty dramatic, with even some significant alterations to the UI and a number of fixes to the bookmarks system. Enjoy.

    http://www.mozilla.org/products/firefox/ [mozilla.org]

  • My world is shaking (Score:4, Funny)

    by tsa ( 15680 ) on Saturday September 17, 2005 @01:36PM (#13585516) Homepage
    And just when IE was officially the safest browser ever! [slashdot.org] What's happening?
  • I'm pretty sure someone told me SP2 is secure... so don't worry about it, you'll all be fine.

  • Firefox vs. IE (Score:5, Insightful)

    by cpu_fusion ( 705735 ) on Saturday September 17, 2005 @02:16PM (#13585729)
    Just a reminder as the FF vs. IE flame wars rage:

    Both IE and Firefox will have bugs that cause security issues. One critical difference is that Firefox empowers the community to fix the issues ASAP, whereas with IE you will *always* be waiting on Microsoft.

    I use the Fedora distribution and typically an announced Firefox bug is patched and available via 'yum' within a day or two, if not faster.

    Firefox allows you to put your trust in the open source community, while IE requires your trust in Microsoft. I think that's pretty much a no-brainer decision for anyone with a passing knowledge of Microsoft history ...
    • Both IE and Firefox will have bugs that cause security issues. One critical difference is that Firefox empowers the community to fix the issues ASAP

      But Firefox is modified in the middle of the night by foreigners that you can't trust.

  • Tell Me Again... (Score:3, Funny)

    by Master of Transhuman ( 597628 ) on Saturday September 17, 2005 @03:08PM (#13585962) Homepage

    how Firefox has more security problems than IE...

    It is appropriate that this surfaces a day after some moron tried to make that argument stick.

    Microsoft: Give...it...up!

    You've lied so often that nobody but your shills believe your FUD anymore -and I'm not even sure THEY do - they just support it for their own moronic reasons.
  • The CNet News article mentions that the flaw is not wormable and that exploiting it requires some user intervention (probably executing or downloading some content).
    What is the big deal?

    Users need to be careful in the first place.
    For starters, don't download crap from goofy Web sites and download porn only via P2P.

  • From TFA:

    A Microsoft representative confirmed that the company had received the report from eEye and said it will be investigating the issue.Because the details of the vulnerabilities have not been made public, users are not at risk of an exploit being developed to take advantage of the flaw, the representative said.

    BZZZT! Wrong!

    If one person can discover a flaw, so can another one. Maybe not immediately, but given enough time it will happen. Microsoft's unwillingness to patch any of their garbage

Slashdot Top Deals

I tell them to turn to the study of mathematics, for it is only there that they might escape the lusts of the flesh. -- Thomas Mann, "The Magic Mountain"

Close