Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×

Zero-Day IE Exploit In the Wild 239

Eric Sites writes to tell us that a new zero-day IE exploit has been found in the wild. It looks to be a bug in VML in IE. The Sunbelt blog notes, "This exploit can be mitigated by turning off Javascripting."
This discussion has been archived. No new comments can be posted.

Zero-Day IE Exploit In the Wild

Comments Filter:
  • Whatever (Score:2, Funny)

    by paranode ( 671698 )
    This thing is so hyped up, my IE has never NO CARRIER
  • by RManning ( 544016 ) on Monday September 18, 2006 @09:29PM (#16135361) Homepage
    Dupe!!!
  • The Sunbelt blog notes, "This exploit can be mitigated by turning off Javascripting."

    I'm certain that most Internet Explorer users don't write JavaScript.
  • No surprise (Score:5, Insightful)

    by Cold_Lestat ( 880518 ) on Monday September 18, 2006 @09:32PM (#16135377)
    There are so many of these Zero Day exploits popping up that I'm just not surprised (or that interested) anymore. One thing i can't get over is how this is still happening? The ammount of stigma now attached to IE has really damaged the product. If they are wise (Personal Opinion) I would scrap the entire codebase of IE and start with an entireley new one for VISTA and change the name so the product gets a new start at life. I don't know, call it Vic the Vista internet client (or Voom sounds better). I switched to firefox quite a while ago, before that, Mozilla, before that Opera and what the hey i even think i was using Netscape before IE and have never looked back. Sorry IE ;).
    • If they are wise (Personal Opinion) I would scrap the entire codebase of IE and start with an entireley new one for VISTA and change the name so the product gets a new start at life.

      They could just adopt Firefox if they wanted to, but they won't because it's Not Invented Here.

      • Oh, that was certainly never a deterrent for MS. They have a long history of acquiring instead of developing.

        But how do you acquire something you cannot buy, hmm? The point is, it is not under their control and they couldn't get it there with open source being the base. Besides, imagine the image loss when it becomes blatantly obvious that open source code holes are fixed by magnitudes faster than their own. Because one thing is certain: Should FF become the default browser for Windows, you'll see the malwa
    • Re: (Score:3, Interesting)

      by smash ( 1351 )

      If they are wise (Personal Opinion) I would scrap the entire codebase of IE and start with an entireley new one for VISTA and change the name so the product gets a new start at life.

      This is not necessarily a smart idea.

      If you simply start afresh, chances are that you're going to end up with all the same exploits all over again.

      They either need to do a full security audit of the code (unlikley for microsoft), or they need to start afresh *and* write it in a language/toolkit that is impossible/much hard

      • Re: (Score:3, Interesting)

        by msobkow ( 48369 )

        I don't think that's true any more. This time it would be reasonable for Microsoft to rewrite their browser in C#.Net, which theoretically provides the kind of sandboxing protection that prevents buffer overflows.

        But would that address evil Java/J/Ecma Scripts? Image file exploits? Any of the vulnerabilities that are actually rooted in the Win32 APIs and the NT kernel?

      • by epine ( 68316 )

        The problem is the incentive structure. No-one ever got as rich at Microsoft finding bugs as hatching them, from Alchin on down.
    • Re: (Score:2, Funny)

      Guys, my computer's still running. It's running Windows XP and I use all three browsers. I use Outlook and Thunderbird. I haven't reinstalled Windows ever on this machine. It's not crashing. Am I doing something wrong? My phone isn't snapping in half either. What am I doing wrong?
      • by robogun ( 466062 )
        br0wse for pr0n in I3 or clicky on linkies in yuor 0utlook emailz, you wil be 0wned. You probably already are & don't know it.
    • by suv4x4 ( 956391 )
      The ammount of stigma now attached to IE has really damaged the product. If they are wise (Personal Opinion) I would scrap the entire codebase of IE and start with an entireley new one for VISTA and change the name so the product gets a new start at life. I don't know, call it Vic the Vista internet client (or Voom sounds better). I switched to firefox quite a while ago, before that, Mozilla, before that Opera and what the hey i even think i was using Netscape before IE and have never looked back. Sorry IE
  • easier solution (Score:5, Insightful)

    by User 956 ( 568564 ) on Monday September 18, 2006 @09:32PM (#16135379) Homepage
    The Sunbelt blog notes, "This exploit can be mitigated by turning off Javascripting."

    It can also be mitigated by using firefox.
    • Re: (Score:3, Funny)

      It can also be mitigated by using firefox.

      Screw that! I'm going back to "telnet www.google.com 80"

      And I'll do that within a VMware image running from a Live CD.

    • Re: (Score:2, Interesting)

      by nmb3000 ( 741169 )
      Blah blah Firefox

      I suppose now is as good a time as any to ask a question.

      I still use IE as my default browser, simply because it loads *fast*. I don't have a brand new system, but when I click the little blue E, I have a browser window inside 2-3 seconds. When I click the little orange fox it often takes up to 8-10 seconds before the window has opened and loaded. I use 'about:blank' for the homepage in both browsers.

      Are there any ways to reduce the time to load firefox? I'd even be fine with starting Fir
      • Well, you could put a link to it in your 'startup' folder and modify the properties of the link to start Firefox minimized. I'm not sure how you could keep a constant copy loaded in the background as I'm assuming IE does. As for the interface, you can get skins for Firefox that look almost exactly like IE.
      • by Jerf ( 17166 )

        I'd even be fine with starting Firefox when Windows loads, keeping the executable in memory.

        There is a folder in your Start Menu labelled "Startup" (or something similar). Drag a copy of the Firefox shortcut into that folder. It will now load when windows loads. Don't close it.

        If you're worried about taskbar pollution... well, you're using the wrong OS. (Or the wrong window manager, anyhow, but my experience is that certain basic assumptions about how Windows works are so deeply embedded into the Windows en

      • Re:easier solution (Score:5, Informative)

        by sporkme ( 983186 ) * on Monday September 18, 2006 @10:25PM (#16135592) Homepage
        Fasterfox [mozdev.org] makes firefox load pages more quickly through various methods.
        The Firefox Tweak Guide [tweakfactor.com] has many options for about:config and other tips for improving your specific experience.
        Firefox Preloader [sourceforge.net] will make Firefox load more quickly by making Firefox do the same thing Internet Explorer does. Firefox will use system resources before being specifically called. The application will remain resident in memory like IE does, waiting for you to click the little fox. In this way, IE loads faster but slows overall system performance.
        How to use UPX to speed it up a little [techsupportalert.com] is what this article can tell you. Probably not the best way to go about it, but I have implemented this method on my HTPC.

        It is VERY important to realize that the few seconds you wait around for the initial loading of Firefox are quickly surpassed by the lag you experience while using Microsoft's Explorer. Firefox ignores many advertisements right off the showroom floor, but can be configured to show NEARLY NO ADS AT ALL. FlashBlock, [mozilla.org] AdBlock, [mozilla.org] and NoScript [mozilla.org] will make your browsing much faster and cleaner.

        Using Firefox, especially with these and other add-ons, will make your browsing incredibly secure. Explorer is left in the dust in comparison.

        So the trade-off you seem to have made is this: A few seconds at load time in exhange for a combined several minutes waiting for ads to be displayed, just so you can fall victim to the shiny! new! IE exploit that seems to get barfed all over Slashdot once a week. This while using an underdeveloped, overpriced, practically featureless browser that has no database of expansions. Unless you are using the Vista beta (7 beta) you aren't even using tabs! Do you choose to commut on a horse? HOW DID YOU EVER SURVIVE THE PERMIAN MASS EXTINCTION? [wikipedia.org] BAH! Why did I bother?
        • Or you can just use Opera :)
        • by suv4x4 ( 956391 )
          Fasterfox [mozdev.org] makes firefox load pages more quickly through various methods.
          The Firefox Tweak Guide [tweakfactor.com] has many options for about:config and other tips for improving your specific experience.
          Firefox Preloader [sourceforge.net] will make Firefox load more quickly by making Firefox do the same thing Internet Explorer does. Firefox will use system resources before being specifically called. The application will remain resident in memory like IE does, waiting for you to click the little
      • Re:easier solution (Score:5, Informative)

        by MightyYar ( 622222 ) on Monday September 18, 2006 @10:36PM (#16135629)
        Yup... go here to install MinimizeToTray [mozilla.org]. MinimizeToTray enables the old "-turbo" option on the command line. Quit Firefox. Right click on the shortcut icon for Firefox that you use (mine is in the "Quick Launch" part of the taskbar). Click Properties. In the "Target" box you will see something like
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        Add the -turbo option so that it reads:
        "C:\Program Files\Mozilla Firefox\firefox.exe" -turbo

        The behavior now is a little confusing... the first time you click the shortcut, it will not open a window. Instead, it will make a Firefox icon appear in the tray. This confuses the holy fuck out of my wife (rightfully). However, subsequent clicks on the icon will give you instant Firefox. To make it cleaner, you can put a copy of the shortcut in your Startup folder. I don't do this because I hate startup programs :)

      • Re:easier solution (Score:5, Informative)

        by causality ( 777677 ) on Monday September 18, 2006 @10:44PM (#16135663)
        The reason why IE starts up so quickly is because the act of booting up Windows pre-loads IE in memory. When you click that blue 'E' icon (which points to an .exe file that is about 30k, as the rest is in DLLs which are already in memory), you're loading practically all of the program from memory, not the hard drive. This also means that whether you are using it or not, the amount of memory required for IE is always being consumed, even after you "close" it. Contrast this with clicking the Firefox icon, which has to read the executable off the hard drive and into memory prior to being able to run it. You didn't think the difference was due to IE being a leaner, more efficient program, did you?

        There is a utility [sourceforge.net] which will allow you to also preload Firefox in memory on Windows. Of course, this does not give you the ability to unload IE from memory (decoupling IE from Windows, to any degree, is problematic at best).

        Of course, how much an extra 6-7 seconds of load time will impact you would depend on usage. Personally I often leave the same instance of Firefox running for days at a time and leave it minimized on a virtual desktop when it is not in use, but if I were really worried about this on a Linux box then I would use prelink [gentoo.org].
        • by rylin ( 688457 )
          Sadly, you're bullshitting.
          The only thing preloaded for IE when windows starts is the GUI controls and the common-controls (dialog boxes such as print).
          The IE/mshtml stuff gets loaded:
          a) If you're starting Explorer (not in shell mode, but as the browsing component) with web-functionality (single-click folder change or common tasks)
          b) When you load IE, go to a web address with Explorer, or load an app utilizing mshtml

          That said, those dlls are kept in memory after that point, but please give up the fucking bu
      • I still use IE as my default browser, simply because it loads *fast*. I don't have a brand new system, but when I click the little blue E, I have a browser window inside 2-3 seconds. When I click the little orange fox it often takes up to 8-10 seconds before the window has opened and loaded. I use 'about:blank' for the homepage in both browsers.

        Interesting, I just did a test. Firefox: 2-3 seconds, IE: 5 seconds. Of course, I was just using and closed Firefox and restarted it again so that probably had
      • Hmm? You close your Firefox? Why?
      • I'm not sure if you realize why IE loads fast.
        IE loads fast because Windows load slowly. IE loads for about 10 seconds, before the desktop appears. Once you click the blue e, you just open a small executable that tells the system to open a new browser window. If you see "start" button, it means IE is already loaded, it's the same program only called with different parameters.

        As others suggested, dropping Firefox into the startup folder gives about the same result - its load time extends Windows load time. C
      • I still use IE as my default browser, simply because it loads *fast*.
        Do you also just go in your pants instead of walking to the bathroom? That's faster, too.

        Just because it's faster doesn't mean it's the best way.
  • by Anonymous Coward on Monday September 18, 2006 @09:34PM (#16135391)
    Why do people still use IE? It's been shown time and time and time and time and time again that it's just not a suitable browser to expose to the dangers of the Internet. And it's not like people don't have alternatives; they do! Opera is free and available on most platforms. Firefox is free and available on most platforms. Seamonkey is free and available on most platforms.

    It's rare these days to find a public site that depends only on IE. Most banking sites, which were really the only holdovers, have realized that Firefox support is necessary.

    The only reason I can think of is ignorance. But even then, most people likely know somebody who could help them install Firefox or Opera for the first time. Maybe each one of us should pledge to tell one other person who isn't aware of the alternatives about them. Make a pact with that person: if they are pleased with their new browser, or it keeps their Windows system free of malware, have them tell one new person about Firefox or Opera.

    Very rapidly, many people will be able to find out about the alternatives, and it'll benefit us all. Us geeks won't have to help relatives and friends with their malware-infested systems. Those users won't have to ask us to help them, or in the worst case, call the Geek Squad or otherwise bring theirs systems in for expensive and inconvenient "decontaminations" (often performed by fools). Plus the private data of those users is far more safe. In short, we all benefit.
    • by Nimey ( 114278 )
      $ORK has a semi-custom intranet app that requires not only IE but ActiveX and (wait for it) the MS Java runtime. No, I don't know what adulterated crack they were smoking; it was before my time.

      I've tried to switch users from IE to FF. It's been more successful with the ex-Netscape users, 'cause I can sell it and T-bird as a direct upgrade. Some people need Outhouse's calendaring features, and some people just can't cope with certain webshites not being compatible with FF, and other people just think tha
    • by Z34107 ( 925136 ) on Monday September 18, 2006 @10:45PM (#16135670)

      People start with IE because it's the Windows default.

      People stay with IE either becasue:

      • They don't care
      • They like it

      If they don't care, why should we? It's their computer that they're leaving vulnerable, after all. Besides, Firefox is starting to lose it's most difinitive advantage over IE - as it's popularity is increasing, so is the number of security vulnerabilities found, rivaling and even surpassing IE month to month.

      Any differences in "speed" are pretty much a wash, too. Internet Explorer definitely starts faster, but it's integrated with the shell. Firefox uses an ungodly amount of memory and leaks it like a sieve. IE7 waits until it has the page 99% rendered before actually drawing it; Firefox will start drawing immediately, piece-by-piece as the site's downloaded. (Both, in total, seem to take the same amount of time.) ActiveX is known for being full of holes, but at least they try to sandbox it - Firefox extentions just blindly run native code.

      Point is that as the differences between the browsers are diminishing - Firefox has forced IE to innovate and comply with standards and more and more pages are designed for Firefox and non-IE browsers. But, the security differences between the two are diminishing, and IE7s interface is cleaner and snappier now, IMHO.

      Save the digivangelism for something more important than "Firefox isn't Microsoft." In Vista especially, IE is next to bulletproof - a reworked Windows kernel runs it within a virtual machine of sorts - and IE+Aero Glass has a much cleaner and prettyfuler interface. Use your browser of choice, but with alternatives and a little healthy competition forcing some new life into the browser world, there's fewer reasons to pick one over the other.

      • by Anonymous Coward on Monday September 18, 2006 @11:35PM (#16135835)
        because their vulnerable computer, once part of a botnet, can be used to help attack our computers.

        why should we get our friends to fix the brakes on their, car? afterall, it's their car, right?
        • by Z34107 ( 925136 )

          Not exactly an apt metaphor - a botnot can't kill you, and you would only be affected if you didn't have a virusscanner/firewall/security combo. (Even Windows has a firewall now!)

          • by smash ( 1351 )
            A firewall, even if it rejects packets, doesn't stop them hitting it.

            They might not kill *you*, but it's quite feasible they'll kill your bandwidth, your bandwidth usage quota, your mailbox, etc...

      • If they don't care, why should we?
        Widespread poor security practices are bad for the general health of the network.
    • by msobkow ( 48369 )
      It's rare these days to find a public site that depends only on IE.
      I guess you don't download updates for video games. Several such sites mandate IE, and look like absolute crap in any other browser. Some won't let you download updates with anything other than their IE plugins.
      • by cortana ( 588495 )
        Such as?

        No game I have ever played demanded the use of IE. Gamers are more likely than the average user to have customised their PC with non-default programs such as Firefox, so I find it hard to believe that game publishers would chop off a large proportion of their market in this way.
  • by billstewart ( 78916 ) on Monday September 18, 2006 @09:34PM (#16135392) Journal
    If I'm using IE, it's because I'm trying to access some site that uses ActiveX or uses Javascript in some IE-broken way, mainly doing tricks that the people who write the HR apps at work think are "useful", or one of the online web-based conferencing systems we or our customers use.

    If I *didn't* need to be doing something dangerous and stupid, I'd be using some version of Mozilla instead of IE. Sigh.


    Yes, I know IE has its security zone thingies that give me a way to restrict it, but it's still annoying.

    • by wirefarm ( 18470 )
      You might want to point out to management that HR is opening up a security risk to the company by requiring that you use software that opens up numerous security holes.

      In effect, it's not much different than if they required you to rent a spare room in your house to a crack-addicted violent sex offender.
      Sure, IE gets "patched" now and then, but crack-addicted violent sex offenders do stints in rehab, too. Doesn't mean I want them around in between...

      Yes, you may quote me on that.
    • Virtual machines are your friend. VMware Workstation is free, and it's pretty easy to set up a vanilla Windows install that will roll back to a snapshot when you're done using it, ready for its next dose of abuse. Perfect for doing dangerous or stupid things, whether in IE or not.
  • Moo (Score:5, Funny)

    by Chacham ( 981 ) on Monday September 18, 2006 @09:49PM (#16135455) Homepage Journal
    Zero-Day Slashdot
    Posted by Chacham [slashdot.org] on 10:45 PM -- Monday September 18 2006
    from the zero-day-is-overused dept.
    [ Slashdot ] [ Teenagers ] [ Slow News Day ]
    Chacham [slashdot.org] writes to tell us that an old zero-day Slashdot [slashdot.org] exploit has been found again and again and again. It looks to be a bug in all browsers. This comment notes, "The bug is in the Submit Story [slashdot.org] link, which is apparently easy available in the side bar."

    No patch has been released. Story posters are standing by.
  • For a long time now, I have been sick of reading about IE exploits. When I was a retail repair tech, these could mean an extra buck or two for the next few weeks. The only real news about internet browser exploits comes when browser != iexplore.
  • IE on VM (Score:3, Informative)

    by coobird ( 960609 ) on Monday September 18, 2006 @09:56PM (#16135488) Homepage

    It seems like we're getting to a point where probably the only safe way to be surfing is by using a browser on a sandboxed virtual machine environment.

    I'm not trying to point my finger only at Internet Explorer, but with security holes that can allow code execution, that's pretty scary. (And another case of buffer overrun? Maybe they ought to rewrite IE as managed code [microsoft.com], but that's another topic all together.)

    • by ettlz ( 639203 )
      Good idea to protect the system, but what about all the valuable personal information that flows through browsers these days?
  • Is the IE7 Beta/RC/whatever currently out affected?
  • "zero-day" meant you have something effective before release, e.g. "zero-day keygen" means you have a keygen that works before the product goes retail such that on the first day of distribution people can use it.

    Clearly IE has been "out for a while" so you can't make a zero-day for IE.

    Tom
    • by smash ( 1351 )
      This is zero day, because it exploits a flaw before it has been reported to (or fixed by) Microsoft :)

      It's not IE that's zero day, it's the exploit...

      • From http://en.wikipedia.org/wiki/Zero_day [wikipedia.org]

        "Zero-Day exploits are released on the same day the vulnerability -- and, sometimes, the vendor patch -- are released to the public. The term derives from the number of days between the public advisory and the release of the exploit. The term 'zero-day exploits' is sometimes misused to indicate publicly known exploits for which no patches yet exist."

        The misuse of "zero day" in this article and "back door" in the Adobe article bother me more than the existence of

        • by smash ( 1351 )
          Hrm, regardless of what wikipedia says, i take 0 day to mean "zero warning"... whether it's out before the vulnerability is made public (which it kinda is anyway, by way of the exploit being out for it :D) or at the same time, the end result is the same...
    • Re:I thought ... (Score:5, Informative)

      by jschottm ( 317343 ) on Monday September 18, 2006 @10:36PM (#16135627)
      I thought "zero-day" meant you have something effective before release

      In exploit terms, n-day means the number of days after a fix is released for the problem exploited by the attack. Most notable worms of the past have been n >= 1 (often much more) attacks - either someone deduces the flaw based on the patch release or the flaw was already known but only guardedly used in order to do high level target attacks while it was still unknown to the public.

      Zero day refers to attacks that are released before the flaw is publically known. It's based on the specific flaw, not the application in general. Zero day attacks are nasty on two fronts - first, no one has specific protection or detection available for it, second, as mentioned, they are sometimes used on very specific targets. There was a recent string of what appears to be industrial espionage where very specific people have been sent MS Office attachments with previously unknown exploits in them.
  • My two cents... (Score:3, Informative)

    by Antony-Kyre ( 807195 ) on Monday September 18, 2006 @10:21PM (#16135582)
    Internet Explorer users should know by now not to surf with Javascript enabled. Disable it and add trusted sites to the "Trusted sites" list.
    • Re:My two cents... (Score:4, Insightful)

      by shird ( 566377 ) on Monday September 18, 2006 @11:33PM (#16135824) Homepage Journal
      You do realise that would result in *less* security? The 'Trusted Sites' zone has far less security restrictions that the 'Internet' zone.

      What you propose would require people to add the likes of Slashdot and Hotmail to the 'Trusted Sites' zone to function correctly. This effectively gives such sites far more access than you would probably like, much more than without playing with your 'zones' at all.

      thats a daft proposal.
      • Re:My two cents... (Score:4, Informative)

        by Antony-Kyre ( 807195 ) on Tuesday September 19, 2006 @12:07AM (#16135931)
        Hotmail yes, because I believe Javascript is needed to click on some of the links, like for the folders.

        Slashdot, no. Slashdot works fine without Javascript.

        You don't have to pour a bunch of sites into the Trusted sites category. Only the ones that you are positive are safe and constantly use that REQUIRE javascript.
    • Just don't do it using MSIE.

      Simple, eh?

      Of the 4 browsers I have here, all are safer in JavaScript than MSIE (FireFox [mozilla.com], SeaMonkey [mozilla.org], Opera [opera.com], Konqueror [konqueror.org]). Three of those are easily available for 'doze & even Konqueror can be made to work [straightrunning.com] in it.

      Er... sorry, I also have lynx [isc.org], links [sourceforge.net] & w3m [sourceforge.net] available, plus Galeon [sourceforge.net] and a few other GNOMEish built-ins kicking around. Spoilt for choice!
  • by Anonymous Coward on Monday September 18, 2006 @10:24PM (#16135588)
    Your Windows Genuine Advantage will protect you!
  • Oh, okay... (Score:5, Interesting)

    by Skudd ( 770222 ) on Monday September 18, 2006 @11:20PM (#16135778) Homepage Journal
    Avoid the bug by turning off JavaScripting. Does anyone else see the issue with that?

    One acronym: AJAX.

    Looking at a variety of server logs for websites I'm currently in charge of, I see that Internet Explorer, even among the "geek" crowd, still has a very strong foothold in the browser market. I've worked closely with customers of my own and even after explaining the threat to them, they continue to use IE.

    Thanks to Web2.0 (and various other forms of propganda), Asynchronous JavaScript and XML (AJAX) has all but taken over the Internet. Now, with a bug such as this, the AJAX-driven sites are in trouble (assuming every IE user does turn off JS).

    I'm not about to start a "Browser War" with this entry, but I have to say; IE is a very volitile threat, and an Open Source replacement would more than benefit the well-being of the Internet as we know it. Pick your poison - Firefox, Mozilla, Opera, Lynx, wget - they're all superior to IE in the sense that they are not an integral portion of the operating system, thus they pose less risk to the security of said OS.

    Rather than disable JavaScript in every IE install in the world, take the time to replace IE with something far less dangerous and educate the user on the dangers of using IE over the replacement.
    • by 93 Escort Wagon ( 326346 ) on Monday September 18, 2006 @11:41PM (#16135845)
      "Thanks to Web2.0 (and various other forms of propganda), Asynchronous JavaScript and XML (AJAX) has all but taken over the Internet. ... Pick your poison - Firefox, Mozilla, Opera, Lynx, wget - they're all superior to IE..."

      Dude, you must be one master coder - you've got an AJAX framework that will work with wget?
      • by Skudd ( 770222 )
        Okay, you've got me there. But still, the point is that IE is the most popular browser, AJAX is becoming increasingly popular, and the advisory suggested disabling JavaScript.
    • by suv4x4 ( 956391 )
      Pick your poison - Firefox, Mozilla, Opera, Lynx, wget - they're all superior to IE in the sense that they are not an integral portion of the operating system, thus they pose less risk to the security of said OS.

      I'd agree with your IE rant except that part. First of all IE being "part of the OS" was never a security issue. It's a myth. There's no pieces of IE running in "kernel mode". That's a myth too.

      Hell, IE7 isn't even a part of the OS. It's a standalone app, and Windows Explorer uses different librarie
    • ``Now, with a bug such as this, the AJAX-driven sites are in trouble (assuming every IE user does turn off JS).''

      That's only if the programmers throw graceful degradation out of the window. Graceful degradation has been there since the beginning of HTML and Javascript, and I feel webmasters who break it are not worth the name (unless, of course, their bosses force them to, in which case the bosses are acting dumb).

      The right way to make websites is as it's always been: make a simple page that displays the co
  • ...javascripting.

    That made me cringe.
  • Safe browsing (Score:3, Interesting)

    by nidarion ( 654639 ) on Tuesday September 19, 2006 @01:16AM (#16136122) Homepage
    I've been running Firefox for four months with "Noscript" installed. Javascript itself is being abused far too much to bypass popup blockers and generally screw around with a browser in a way that shouldn't be allowed. If I want a website to mess with me, I have to whitelist it first. It's annoying, especially around ecommerce sites, but I have peace of mind.
  • by dpbsmith ( 263124 ) on Tuesday September 19, 2006 @07:22AM (#16136940) Homepage
    ...but, isn't that the "J" in AJAX, the underpinnings of Web 2.0?

    Why do people even bother to give advice that is basically impossible to follow?

    It's not my fault that so many of the websites I want to use now rely on Javascript, but the fact is they do.

    Saying "This exploit can be mitigated by turning off Javascripting" is true, but as about as useful as saying "the risks of plane crashes can be mitigated by not flying."
  • by kimvette ( 919543 ) on Tuesday September 19, 2006 @11:53AM (#16138718) Homepage Journal
    "This exploit can be mitigated by turning off Javascripting."


    . . . and you can avoid >99% of car accidents by not turning on the engine, but then the car isn't very useful, is it.

Heard that the next Space Shuttle is supposed to carry several Guernsey cows? It's gonna be the herd shot 'round the world.

Working...