Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

MS Issues Emergency IE Security Update

CmdrTaco posted more than 4 years ago | from the press-the-panic-button dept.

Bug 114

WrongSizeGlass writes "CNET is reporting that Microsoft has issued an emergency patch for 10 IE security holes. 'The cumulative update, which Microsoft announced on Monday, resolves nine privately reported flaws and one that was publicly disclosed. ... Software affected by the cumulative update addressing all the IE vulnerabilities includes Windows 2000, Windows XP, Windows Server 2003 and Server 2008, Vista, and Windows 7.'"

cancel ×

114 comments

Sorry! There are no comments related to the filter you selected.

F0STY P1SS (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31677558)

Icy Cunt!

Re:F0STY P1SS (-1, Offtopic)

spazdor (902907) | more than 4 years ago | (#31677566)

it's FR05TY. learn to troll.

Re:F0STY P1SS (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31677704)

Hey When your typing fast to get first post you can't worry about R's or cuntdot fags bitching that you didn't use a for the S.

Re:F0STY P1SS (-1, Offtopic)

Starteck81 (917280) | more than 4 years ago | (#31677710)

it's FR05TY. learn to troll.

Maybe that was part of his trolling. Either way you bit hook line and sinker. Next time don't reply and let the mods mop him up. ;-)

Re:F0STY P1SS (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31677916)

Mods got you too cuntdot fag! Speaking of mods, who wants to waste another mod point? For some fucking reason I have to wait more than TEN fucking minutes between posting comments, I wonder which Cuntdot fag came up with that!

Re:F0STY P1SS (-1, Offtopic)

koiransuklaa (1502579) | more than 4 years ago | (#31678152)

Goddamit, mismoderated again (I meant 'Informative')

Why am I seeing this crap? (0, Offtopic)

Anonymous Coward | more than 4 years ago | (#31678642)

Can someone with more slash-fu than me help me out there? This is marked -1 Troll, and I browse at 1. Why is this expanded out on my screen? I don't need to see some lonely 12 year old reject from 4chan's pathetic attempts at attention getting.

Pwn2own strikes again (4, Informative)

sxedog (824351) | more than 4 years ago | (#31677582)

Amazing... that was only a week ago!

Re:Pwn2own strikes again (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#31677668)

IE: because idiots who want to use what they don't understand deserve to get 0wned.

Re:Pwn2own strikes again (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#31677740)

It must really rile you freetards up that even with all the viruses, malware, spyware, trojans, IE exploits, etc that people will still put up with all that and run Windows instead of using Loonix. Hell they will even pay 200+ dollars for the privilege! That fact that you can't even give away Loonix for free is a pretty sad sign of how much fail your OS of choice really is.

Re:Pwn2own strikes again (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31677862)

Oh, I am so pissed at this guy dissing Loonix (it's Lunix BTW, dummy)?

Where can I find a place to anonymous attack him? Preferably, with personal attacks and comments questioning the character of his mom?

But, alas, there is so such place . . .

Re:Pwn2own strikes again (4, Insightful)

amicusNYCL (1538833) | more than 4 years ago | (#31677806)

idiots who want to use what they don't understand deserve to get 0wned.

Totally. All those drooling idiots driving cars without knowing how to rebuild an engine and transmission are just asking for it.

Re:Pwn2own strikes again (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31678258)

idiots who want to use what they don't understand deserve to get 0wned.

Totally. All those drooling idiots driving cars without knowing how an engine and transmission work are just asking for it.

Fixed that for you. In light of the latest "sudden acceleration" fad, it should be obvious.

Re:Pwn2own strikes again (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31678434)

That FAD is exactly that. As I said earlier today, every other manufacturer had the same problem at the same low reporting rate until the story exploded, then the reports of the issue doubled for Toyota, but no one else. Hmm, interesting.

Plus, the facts surrounding the recent 90+ MPH "out of control" Prius point overwhelmingly to a hoax for media attention and legal awards (serious financial trouble, a history of hoaxes and media whoring, reports of suspicious conversations beforehand, etc). I wouldn't be surprised if most or ALL of the publicized instances in the last few months were hoaxes.

It is not a problem with the car or its software, its a problem with the drivers.

Re:Pwn2own strikes again (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31678532)

That would be a bit out of character for the Woz, don't you think?

Re:Pwn2own strikes again (0, Offtopic)

perryizgr8 (1370173) | more than 4 years ago | (#31682026)

woz is just another fucked-up guy. seriously, i don't have any respect for people who are unable to take credit for their own work.

Re:Pwn2own strikes again (0, Offtopic)

Ollabelle (980205) | more than 4 years ago | (#31679378)

Oh come on now.

What part of the story of the family in a decrepit Lexus with worn-out brakes doing acceleration overtime wasn't true? THAT's what got this Toyota-bashing story started. And even Toyoda himself admitted it - they got greedy and too big too fast.

Re:Pwn2own strikes again (2, Insightful)

steelfood (895457) | more than 4 years ago | (#31678528)

Actually, your analogy would be asking everybody who used a browser to know how to code.

On the other hand, it's a good for people idea to learn about the technology behind websites before browsing them. For example, knowing what javascript is, what flash is, what cookies are, what xml is and how it relates to web pages, etc. And they may want to know how to block or clear cookies and block javascript and clear cache.

And that's asking people to know the laws of driving, how to read the street signs, to know what happens when roads get wet or are covered in snow, to know about dirt versus gravel versus asphalt versus cement, and how to react appropriately under each circumstance. And it's asking them to know how to use the e-brake or the tramsmission. And that's certainly not too much to ask.

Re:Pwn2own strikes again (2, Insightful)

amicusNYCL (1538833) | more than 4 years ago | (#31680152)

And that's certainly not too much to ask.

It most definitely is. I don't need to understand Blu-ray encoding in order to watch a movie, I don't need to understand how WEP works (or doesn't) in order to connect to an access point, and I don't need to understand how GSM or SMS works in order to send a text message. I don't need to understand how the Playstation network operates in order to play online, I don't need to understand how HVAC works in order to cool my house, and I don't need to understand how an electrical coil heats up in order to toast bread. Users don't care about those things. Expecting a user to educate themselves about Javascript IS asking quite a bit (XML? really?).

And that's asking people to know the laws of driving, how to read the street signs, to know what happens when roads get wet or are covered in snow, to know about dirt versus gravel versus asphalt versus cement, and how to react appropriately under each circumstance. And it's asking them to know how to use the e-brake or the tramsmission.

Are you under the expectation that all drivers on the road know all of those things? Not to pick on women, but stories from mechanics about women reporting problems with their cars are about as amusing as the clueless tech support calls we enjoy so much. The fact is that people do NOT know those things about driving, but you expect someone to educate themselves on XML before they go to MSN?

Re:Pwn2own strikes again (1)

b4dc0d3r (1268512) | more than 4 years ago | (#31681670)

On one hand, the analogy was flawed and had to be corrected. On the other hand, the explanation was poorly done. A better explanation would be that people need to learn things about their browser in order to use it effectively. Like "too good to be true" probably means it's not true. Or there ain't no such thing as a free lunch. Common sense that says don't take unknown things from unknown people. That's what people forget - no other application has opened people up to identity theft just by operating it. Since a browser uses so many external files, it's the exception that no one thinks about.

What's the penalty for not knowing? In the car analogy, safety of the people you might otherwise drive over, or yourself, should be the motivator. People drink and drive, they text and drive, they don't pay attention, or they aren't familiar with their vehicles. Most people do not fall in this category, a few do. The penalty is in a few cases someone successfully installs a spambot the user will never notice. In fewer cases the user's personal files get transferred, and some of those get used and credit card companies block cards due to suspicious activity and a few people lose money. If it were a big problem, we'd hear stories every night on the news, but it only comes up a few times a year.

There's no incentive to learn because 1) it's rare and 2) learning is not a requirement, as it is in a driver's license test. This is where the "Internet driver's license" idea makes sense, until we realize how impractical it would be. Then we're back to the situation where people should learn, but don't, and it's only a problem for a few people a year.

Re:Pwn2own strikes again (1)

Tim C (15259) | more than 4 years ago | (#31683790)

That's what people forget - no other application has opened people up to identity theft just by operating it.

All the people who fell for 419 and similar scams by reading and replying to emails would beg to differ.

Re:Pwn2own strikes again (1)

vegiVamp (518171) | more than 3 years ago | (#31684914)

The people who got 419ed didn't just operate their mail client (or browser, more likely), but actively responded, repeatedly, to an obviously too-good-to-be-true offer from someone they didn't know in a country they may not even have ever heard of, and then enacted one or more banking transactions to the same unknown factor.

It's like I'm driving my car on the highway, and I suddenly decide to follow an arrow that says "Promised Land" and points into a dark, foggy gravel road that goes in the direction of where there clearly was a ravine a few hundred yards earlier.

Re:Pwn2own strikes again (0)

Anonymous Coward | more than 4 years ago | (#31684088)

This is one of the most ridiculous posts I have ever read on Slashdot during my 10 or so years and the fact that you have been modded insightful just makes it more sad and obvious how out of touch many readers of this site are.

Re:Pwn2own strikes again (1)

drinkypoo (153816) | more than 3 years ago | (#31685892)

And that's asking people to know the laws of driving, how to read the street signs, to know what happens when roads get wet or are covered in snow, to know about dirt versus gravel versus asphalt versus cement, and how to react appropriately under each circumstance. And it's asking them to know how to use the e-brake or the tramsmission. And that's certainly not too much to ask.

I agree, but apparently no state in the USA does, especially not California. They'll give you a license anyway. Crap, by the time I had to take my driving test, you no longer even had to parallel park.

Re:Pwn2own strikes again (1)

evanbd (210358) | more than 4 years ago | (#31679148)

idiots who want to use what they don't understand deserve to get 0wned.

Totally. All those drooling idiots driving cars without knowing how to rebuild an engine and transmission are just asking for it.

What about people that don't know they need to lock their doors when they leave the car, or change the oil on a regular basis?

Re:Pwn2own strikes again (1)

amicusNYCL (1538833) | more than 4 years ago | (#31680166)

What about people that don't know they need to lock their doors when they leave the car, or change the oil on a regular basis?

If they're like a normal person, they learn from their mistakes and they don't do the same thing again.

Re:Pwn2own strikes again (2, Insightful)

evanbd (210358) | more than 4 years ago | (#31680438)

What about people that don't know they need to lock their doors when they leave the car, or change the oil on a regular basis?

If they're like a normal person, they learn from their mistakes and they don't do the same thing again.

Oddly, computers seem to be exempt from that. The same people get viruses, trojans, malware, etc, and keep downloading crap and failing to install updates, and it keeps happening. Most drivers seem to learn to change the oil after destroying an engine, but somehow computer users are different. Clearly there's plenty wrong with the software in the first place, but there's also something very odd about users who experience these problems and then both continue using the same problematic software and failing to learn from their mistakes.

Re:Pwn2own strikes again (1)

Spad (470073) | more than 3 years ago | (#31684860)

Because it doesn't usually cost them thousands to repair.

Re:Pwn2own strikes again (1)

mcgrew (92797) | more than 3 years ago | (#31686450)

The difference between cars and computers is, if you ruin your engine by not changing the oil, your mechanic will tell you "look, you have to check your oil regularly and change it on schedule or you're going to ruin the new one I just put in."

If Mechanics were like the Geek Squad they'd tell you that having your engine blow up periodically is normal and expected. And taking a computer to Best Buy is what most people do.

Re:Pwn2own strikes again (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31679776)

Zing!

Re:Pwn2own strikes again (0)

Anonymous Coward | more than 3 years ago | (#31685432)

idiots who want to use what they don't understand deserve to get 0wned.

Totally. All those drooling idiots driving cars without knowing how to rebuild an engine and transmission are just asking for it.

That's right. And if you don't know exactly what's going on inside that disk I/O driver, you shouldn't be allowed to keep permanent files.

Re:Pwn2own strikes again (1)

hesaigo999ca (786966) | more than 3 years ago | (#31686718)

I agree to a certain extent with your comment, especially using a car as a main example to describe computer usage.... I wold never drive a car without having taken courses first, and even then, some people are such bad drivers, it is not because they own a car they pass the test to drive.
As well i would also try to force them to realise more the conduct on the road as a blueprint for
surfing the web...road signs need to know how to read them and use them to avoid traffic, or jams, or to know when to stop...using a mechanical stand point might not be fair on the situation...let's use headlights instead.

Most people do need to know how to turn on their headlights if they are going to drive at night, each car has their own place for such a thing, some on the dashboard, some on the steering column, but most people know how to use them, and know to turn them on at night....unless they want a ticket from the cops.

Likewise, people using browsers, should know about security, and how it applies to them, knowing that you are secure is different then knowing WHY you are secure. Also, if they are about to let their kids use the computer, how to control them from going on bad sites, etc....there are many ways to spin the analogy but in the end, I do agree that not because you own a computer that you know how to use one.

Re:Pwn2own strikes again (1)

smash (1351) | more than 4 years ago | (#31681638)

IE has its place in corporate networks. Like it or not, there is plenty of software that people use every day to GET THEIR JOB DONE that does not work in anything else. If patched and placed behind an appropriate filtering proxy/firewall IE security is manageable with security zones and group policy. Plenty of idiots run IE, and yes they get owned. Plenty of idiots run linux and get r00ted as well (I used to be one, before I knew shit from clay - i had a couple of boxes r00ted back in 1999).

A competent admin can ensure IE is "safe enough" for corporate usage.

Re:Pwn2own strikes again (1)

perryizgr8 (1370173) | more than 4 years ago | (#31682060)

ie just needs to go. big companies are still holding fast to win xp. would you say that refusing to let go of a 10 year old software is justified? ie6 is also 10 year old i think.

Re:Pwn2own strikes again (1)

vegiVamp (518171) | more than 3 years ago | (#31684932)

I agree that there is stuff that doesn't work in anything else, but it can be argued that the stuff needs fixing, then.

If my car were to work only on Belgian roads, I would be rather quick to either get it fixed or swap it for one that works on all roads.

Re:Pwn2own strikes again (1)

SuperDre (982372) | more than 4 years ago | (#31684164)

Don't forget that FireFox and Linux have just as many security holes, the only reason why you are safer on linux is because of the diversity of distro's/versions (that's the biggest problem with linux) and because it's not an interesting platform (yet) for malware-makers because too few (regular)people are using it..

How is "MS releases emergency patch" news? (2, Insightful)

Colin Smith (2679) | more than 4 years ago | (#31678070)

This is normal. Expected. Everyday life for millions of Windows users.
 

Re:How is "MS releases emergency patch" news? (2, Insightful)

DAldredge (2353) | more than 4 years ago | (#31678392)

Like other operating systems don't have patches?

Re:How is "MS releases emergency patch" news? (1)

dudpixel (1429789) | more than 4 years ago | (#31681738)

what about emergency ones?

in my experience these are VERY rare, except on Windows.

Re:How is "MS releases emergency patch" news? (1)

DAldredge (2353) | more than 4 years ago | (#31681834)

Then your experience is so limited as to be nonexistent. Oracle, IBM, Sun(RIP) and nearly every other major software house on the planet has released some sort of emergency batch.

Re:How is "MS releases emergency patch" news? (1)

techno-vampire (666512) | more than 4 years ago | (#31682004)

I won't say that no Linux distro or program ever releases an emergency patch, but when they do, most users don't know it's an emergency. Why? Because unlike Microsoft, they don't try to stick to a once-a-month release schedule for patches, so they don't have to make a special announcement or tell the world that it's an emergency; they just release it along with whatever other patches, updates or upgrades happen to be available at the moment.

Re:How is "MS releases emergency patch" news? (1)

dudpixel (1429789) | more than 4 years ago | (#31683550)

read it again. I didn't say emergency linux patches dont exist, I said they are rare. At least not as common as windows ones.

Re:How is "MS releases emergency patch" news? (1)

DAldredge (2353) | more than 3 years ago | (#31686056)

You didn't limit your original post to just Linux now did you?

Re:How is "MS releases emergency patch" news? (1)

perryizgr8 (1370173) | more than 4 years ago | (#31682090)

that's only because of ms' well-known agility, lol, others are just too slow/lazy.

Re:How is "MS releases emergency patch" news? (1)

dudpixel (1429789) | more than 4 years ago | (#31683560)

apparently its not as "well-known" as you think.

Re:How is "MS releases emergency patch" news? (1)

perryizgr8 (1370173) | more than 4 years ago | (#31684102)

its called sarcasm.

Re:How is "MS releases emergency patch" news? (1)

MacWiz (665750) | more than 4 years ago | (#31683760)

Like other operating systems don't have patches?

Occasionally, but not every other Tuesday for the last 10 years or so, sapping the productivity of the entire corporate spectrum on a regular basis. And how many "emergency" patches has IE had already this year?

Re:How is "MS releases emergency patch" news? (1)

DAldredge (2353) | more than 3 years ago | (#31686086)

If only Microsoft made a product that allowed you to control what updates got sent to your systems.  They could call it something like Windows Server Update Services.

Oh! they do make such a thing http://en.wikipedia.org/wiki/Windows_Server_Update_Services

Re:How is "MS releases emergency patch" news? (0)

Anonymous Coward | more than 4 years ago | (#31680074)

And sadly even more common for firefox and linux users :(

Re:How is "MS releases emergency patch" news? (1)

perryizgr8 (1370173) | more than 4 years ago | (#31682076)

most people wont even know. i hate windows. but i have to agree, the updating is pretty seamless, and invisible to the user. ubuntu needs to learn.

Re:How is "MS releases emergency patch" news? (1)

vegiVamp (518171) | more than 3 years ago | (#31684868)

You mean, like the "Install security updates without confirmation" option that's in my two-versions-behind Ubuntu ? Oh, right, you mean the "reboot for nearly every patch" kind of seamless, yeah, you're right, that's missing from Ubuntu.

I loaded this article yesterday with Opera (0, Offtopic)

Orga (1720130) | more than 4 years ago | (#31677628)

That's just how fast it is.

Re:I loaded this article yesterday with Opera (0)

Anonymous Coward | more than 4 years ago | (#31678100)

YEAAH - it might be offtopic but it's the damn truth.

Re:I loaded this article yesterday with Opera (1)

perryizgr8 (1370173) | more than 4 years ago | (#31682098)

it may be fast, but it sure SUCKS!

Cnet link not really informative (4, Informative)

Bearhouse (1034238) | more than 4 years ago | (#31677640)

Ms link here:

http://www.microsoft.com/technet/security/Bulletin/MS10-018.mspx [microsoft.com]

No real sweat for IE8 on Win7...

Better links here: (5, Funny)

Anonymous Coward | more than 4 years ago | (#31677782)

Link 1 [mozilla.com]
Link 2 [opera.com]

Re:Better links here: (1, Troll)

Lunix Nutcase (1092239) | more than 4 years ago | (#31677830)

Re:Better links here: (3, Interesting)

Ron Bennett (14590) | more than 4 years ago | (#31677996)

Firefox is nice and is my default browser, but not much better than IE8 when it comes to security vulnerabilities.

For example, many feel Firefox is so much more secure than IE8 and yet why is that pop-unders (not the same as pop-ups, which FF does a good job blocking) from the likes of Netflix, even after years of complaints, still hasn't been addressed?

Surely, if unwanted pop-unders can slip through in Firefox, likely so can other unwanted things. Despite being an open-source program, I'm surprised there's still no built-in defense against pop-unders in Firefox. Yes, I know there's Adblock, but that comes with a bunch of overhead and, from what I've read, doesn't always block pop-unders either. End of rant.

Re:Better links here: (1)

Paradigm_Complex (968558) | more than 4 years ago | (#31682868)

Surely, if unwanted pop-unders can slip through in Firefox, likely so can other unwanted things.

That's a non sequitur. Consider: The Firefox developers do not view disabling pop-unders as anywhere near as important as ensuring the browser is secure. The fact that the developers did not put the time and effort into disabling pop-unders does not mean they aren't able to keep Firefox secure.

I'm not saying that Firefox is secure so much as that your reasoning is faulty. You could try to argue that the Firefox developers don't have care about end-user complaints, or something along those lines, with that anecdote. It's not, however, proof against Firefox being secure.

Re:Better links here: (1)

abigsmurf (919188) | more than 4 years ago | (#31684202)

I just wish Firefox wouldn't go crazy when you get a popunder and switch to a random open window. This bug has been around for years and it's pretty irritating. Why hasn't it been addressed yet?

Re:Better links here: (1)

Richard_at_work (517087) | more than 3 years ago | (#31685176)

I wish that a modal dialog window in one tab wouldn't block the entire browser - cannot switch tabs, cannot do anything other than acknowledge and dismiss the dialog window, which kind of fucks everything up when the modal dialog is caused by infinitely looping code :(

Re:Better links here: (4, Insightful)

Enderandrew (866215) | more than 4 years ago | (#31678024)

If Chrome had a better ad-blocking solution, I'd agree with you. All the Chrome ad-blockers still render/run the ad in the background

I was reading AintItCoolNews with Chrome, and some ad in the background downloaded and opened a PDF without asking me, which Microsoft Security Essentials was quick to report had malicious code in it.

With Firefox and Adblock Plus, I never see ads. Where are most of these exploits going to originate from? Ads.

Re:Better links here: (1, Interesting)

Smooth and Shiny (1097089) | more than 4 years ago | (#31678444)

There is AdBlock for Chrome as well. Seems to work fine on this end.

Re:Better links here: (3, Informative)

aztracker1 (702135) | more than 4 years ago | (#31678668)

Re-read the GP.. the content still gets rendered, even if you don't see it... Which means any exploits still get through.

Re:Better links here: (1)

Jugalator (259273) | more than 4 years ago | (#31684038)

If you set up Chrome to use a script-based whitelist, you essentially have a poor man's NoScript. It's then also easy to to unblock certain sites you come across, by using the rightmost omnibar icon that will show for all pages that have js blocked. (a scroll of paper with a cross mark)

Re:Better links here: (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31679792)

Chrome + Adblock > Firefox + Adblock

There are still open security vulnerabilities for Firefox dating back for years in their trackers, one of which I ran into myself just recently.

For those with Firefox, just open this lovely link to see for yourself (may want to save anything first and if you have Firefox set to reopen your tabs from last time you may want to disable that before clicking, else you will need to delete the session file that stores the list of open tabs):
http://tinyurl.com/ybsh3dz

javascript:for(;;)alert('owned')

Re:Better links here: (1)

smash (1351) | more than 4 years ago | (#31681666)

squid+squidguard. done.

Re:Better links here: (1)

Jugalator (259273) | more than 4 years ago | (#31684022)

If Chrome had a better ad-blocking solution, I'd agree with you. All the Chrome ad-blockers still render/run the ad in the background

Since Chrome 4.1, I just use the browser blacklist for the annoying domains to prevent running Javascript and plugins (= Flash).

It instantly cleans at least two major newspapers here, as a whole lot of advertising is JS or Flash-based, or both. And makes them faster than I have ever seen too, as a bonus.

Browser black/whitelists with forced includes/exceptions for js/plugins/images is in all OS editions of Chrome since the latest betas for the respective operating systems.

I think I filed, or at least voted on, a bug that says these black/whitelists should do pattern matching though.

Re:Better links here: (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#31678068)

You're better off running Chrome.

Only because I want google to know everything about my browsing at all times.

Re:Better links here: (1)

FictionPimp (712802) | more than 4 years ago | (#31678536)

How else can they keep you safe?

Mods? (0)

Anonymous Coward | more than 4 years ago | (#31678910)

Why is the pp modded Flamebait? IMO, It expresses a valid concern.

Opera troll fail (1)

clang_jangle (975789) | more than 4 years ago | (#31678130)

Opera vunerability that the company denies is a vunerability

Following that link, I see:

the vulnerability was confirmed in Opera 9.10

That's pretty old. I'm using Opera 10.10 (on FreeBSD) here...

Re:Opera troll fail^2 (0)

Anonymous Coward | more than 4 years ago | (#31678370)

Current Opera release is now 10.51 (new JavaScript engine and "world's fastest browser" again).

The troll links to a blog post on softpedia.com that reads like a disgruntled user that thought he should have inside access to Opera devs about an issue with (as you pointed out) on an old version.

Perhaps he should have pointed a professional browser security evaluation site like Secunia.com where Opera has been the most frequently top-rated for quality of security and speed at fixing issues over the years. I'm sure he wished that he could have.

Re:Opera troll fail^2 (0, Troll)

Lunix Nutcase (1092239) | more than 4 years ago | (#31678522)

Perhaps he should have pointed a professional browser security evaluation site like Secunia.com

Okay. Here [secunia.com] is the Secunia link about the same issue. That better for you?

n/t (0)

Anonymous Coward | more than 4 years ago | (#31679660)

I was fully aware of the issue on Opera 9.1 way back when it was found. That's why I upgraded a long time ago. I have since upgraded several times as new versions have come out in the intervening couple of years. Opera's current version is 10.51

You are trying to create the false impression that Opera does not fix security issues because you found (or left) a blog post about one in an old version, which is rather disingenuous.

As I have referred to them for years, I am also aware of the fact that secunia.com documents such issues and I saw the reference to Secunia in the blog post that you linked.

The problem here is that my wording of my post was poorly thought out because I wanted to react quickly to your attempt to create and invalid impression. So you tried to turn my wording on me. Nice try.

So I'll try again.

Every browser has had and will continue to have security issues. But evaluation of said is not the binary situation that you are attempting to imply (browser X had a security issue in an old version, therefore it is as bad as any other).

Proper evaluation of a browser's security is product of metrics such as the following:

1) how many security issues are found in a release?
2) what is the severity of each?
3) how long does it take vendor fix them and make fixes available?
4) how many are currently unpatched?

Secunia has pretty consistently rated Opera as best in each category for several years. That's why it is difficult to criticize Opera and broadly point to Secunia's evaluations, which is what I was indirectly challenging you to do (as opposed to a blog post rant about a single issue).

Secunia has indicated with great regularity that, while not perfect, Opera is consistently pretty damned good.

Re:Opera troll fail (0, Troll)

Lunix Nutcase (1092239) | more than 4 years ago | (#31678658)

So by this logic one should just ignore any exploits in IE6 just cause most people are using IE7 or 8?

Re:Opera troll fail (0)

Anonymous Coward | more than 4 years ago | (#31679186)

Yes, actually. But unfortunately, in the wacky world of windos words like "obsolete" or "deprecated" have no meaning. Stay current FTW!

Re:Better links here: (1)

perryizgr8 (1370173) | more than 4 years ago | (#31682124)

chrome is great. i've been using it on ubuntu. but it gets sluggish after a day or two. firefox's performance is consistently slow, but it IS consistent. opera simply sucks. opera mobile on my e71, its the best browser on a smartphone. (i don't consider the iphone to be a smartphone cause it can't run >1 apps)

Re:Better links here: (1)

Animaether (411575) | more than 4 years ago | (#31677936)

why even bother with those... just point people to http://www.browserchoice.eu/ [browserchoice.eu] (and tell them to ignore the IE one, I suppose)

Re:Better links here: (1)

abigsmurf (919188) | more than 4 years ago | (#31684204)

The same Mozilla firefox that took a month to patch a publicly known exploit recently?

If anything, Firefox is more vulnerable to exploits because of its lack of sandboxing features.

Re:Cnet link not really informative (4, Insightful)

malloc (30902) | more than 4 years ago | (#31677814)

To me "No real sweat" != "Windows 7 - Internet Explorer 8 - Remote Code Execution - Critical "

Re:Cnet link not really informative (3, Informative)

natehoy (1608657) | more than 4 years ago | (#31677848)

Actually, it is.

This release also addresses CVE-2010-086, which is no sweat for IE8 on Win7, as you say. But note the term "also addresses". That's an important term.

One or more of the other nine vulnerabilities the fix is being released for is labeled as critical, and can cause remote code execution.

Specifically, CVE-2010-0490 (Uninitialized Memory Vulnerability) and CVE-2010-0492 (HTML Object Memory Corruption Vulnerability) are both listed specifically as "Critical - Remote Code Execution" for Windows 7 (both 32 and 64-bit) for Internet Explorer 8. CVE-2010-0494 (HTML Element Cross-Domain Vulnerability) is listed as "Important - Information Disclosure".

Re:Cnet link not really informative (1)

amicusNYCL (1538833) | more than 4 years ago | (#31677860)

No real sweat for IE8 on Win7...

How do you figure? IE8 on Windows 7 still has this classified as a critical update. It's moderate for IE8 on Server 2003 and Server 2008.

Re:Cnet link not really informative (3, Informative)

WrongSizeGlass (838941) | more than 4 years ago | (#31677962)

Actually, IE 8 and Windows 7 are listed in that very link you posted.

Internet Explorer 8:
* Windows XP Service Pack 2 and Windows XP Service Pack 3
* Windows XP Professional x64 Edition Service Pack 2
* Windows Server 2003 Service Pack 2
* Windows Server 2003 x64 Edition Service Pack 2
* Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
* Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
* Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2**
* Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2**
* Windows 7 for 32-bit Systems
* Windows 7 for x64-based Systems
* Windows Server 2008 R2 for x64-based Systems**
* Windows Server 2008 R2 for Itanium-based Systems

Re:Cnet link not really informative (1)

SilverEyes (822768) | more than 4 years ago | (#31678110)

Well, ... Windows 7 for 128-bit Systems isn't listed, so there!

Re:Cnet link not really informative (1)

randallman (605329) | more than 4 years ago | (#31683390)

Yea. Except for the ones marked "Remote Code Execution" and "Critical". No sweat.

Re:Cnet link not really informative (1)

Whatchamacallit (21721) | more than 3 years ago | (#31686316)

IE8 on Win7 (32bit/64bit) is just as vulnerable, re-read that bulletin!

This emergency update includes the CanSecWest fixes where they 0wned a Win7 IE8 system in minutes! There were a hundred Microsoft employees at CanSecWest and they were left scratching their heads because they didn't understand the exploit right away. It was a sophisticated manipulation of realtime memory locations.

OS versus Browser (2, Informative)

sunderland56 (621843) | more than 4 years ago | (#31677880)

If this is an IE bug, why does it only affect some operating systems and not others?

If this is really an issue with the OS support used by IE, then wouldn't it affect Firefox etc?

Patch releases really need a "info for geeks" section.....

Re:OS versus Browser (1)

blair1q (305137) | more than 4 years ago | (#31677954)

the less they say about some things, the fewer people make with the gefingerpoken in the sploit vat

that doesn't help you with your security, it helps them with theirs

Re:OS versus Browser (2, Informative)

ivonic (972040) | more than 4 years ago | (#31680026)

The way IE integrates with the OS varies between releases. In XP and earlier, items such as Windows Update and Windows help are running on IE. Since Vista, these have been control panel applets instead, giving malicious code exectued in IE no power over it.

Users using another browser wouldn't be able to execute code that affects these components, but if some malicious code successfully attacks an IE user, it could potentially attack other parts of the system where IE is integrated (and to which IE has some form of access), and then execute code to potentially gain 'control' of a system.

This "remote code execution" usually isn't a hack that a script kiddie could run to gain access to your files, but often it's enough for hackers just to be able to redirect your browser (to fake online banking sites) or even just cause your PC to visit a site. Thousands of compromised PCs visiting a website a thousand times a second each is your basic DDoS attack.

Re:OS versus Browser (1)

bloodhawk (813939) | more than 4 years ago | (#31680170)

because depending on your OS versions there are built in mitigations that are not directly related to the browser such as DEP/NX ASLR and in the case of the Server OS the browser is locked down tight by default. And yes some of those same protections that windows provides for ie are also available to firefox. The net effect of the various protection mechanisms means a vulnerability has differing consequences depending of the OS version and Architecture (x86/x64).

Emergency Patches? (0, Troll)

FatalMuffin (1779280) | more than 4 years ago | (#31678274)

Its a good thing that MS has Windows update at their disposal. Whereas I use FIrefox, along with "most" (i'm guessing) users of /. At least there isn't a patch every other fortnight

Re:Emergency Patches? (1, Interesting)

mrsurb (1484303) | more than 4 years ago | (#31680414)

If only /. were populated by people using a minority operating system that had comprehensive package managers to take care of their updates.

My solution (3, Funny)

stonewallred (1465497) | more than 4 years ago | (#31678316)

I just don't use any browser. I refuse to use one that is not 110% secure. Plus it saves me tons of money by not having to pay for internet connection. When I really need to cruise the web, I just plug in the brainstem actualizer and use an avatar to swim through a virtual reality version of the net. And I fight off viruses and malware using a lightsaber. Ya'll really need to come to the real geek heaven.

It's no big deal... (0)

Anonymous Coward | more than 4 years ago | (#31678714)

...the same way another strip of bandage is not a big deal to a mummy.

mod uP (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31680602)

Reboot???!! (3, Insightful)

jon_cooper (746199) | more than 4 years ago | (#31682256)

Why on earth do I have to reboot my system just to patch a web-browser????

Grrrrr!!!

And yes, that was a rhetorical question.

Re:Reboot???!! (1)

imakemusic (1164993) | more than 3 years ago | (#31685900)

And yes, that was a rhetorical question.

Sure but is this?

Introducing: Polymorphic Patch Engine Technology (1)

symbolset (646467) | more than 4 years ago | (#31683224)

We all know that one major problem with the Microsoft platform is that it's homogeneous. No matter how many times we hear the "ground up" reengineering story, we get these exploits that work vulnerabilities in a common code base. All of the platforms use the same code. All code has bugs, and one bug might grant entry, while two more might grant privilege escalation, and so once an exploit is found all the machines with that code base are pwned. The solution to this problem is deviously simple: do everything differently on every machine. No, I'm not talking about ASLR here, though that's a start.

Stop. I know the first reaction to that is "that's crazy talk". This is pretty revolutionary thinking. It's not possible to design a unique operating system for every user. It is however possible to avoid the complementary vulnerability trampoline by varying the ways that components implement various technologies.

Every action that a machine can perform can be done in various ways - various algorithms can be used to achieve the same result, and some algorithms are more efficient than others. As a part of development many of these ways are explored and until now all but one was discarded. Simply by retaining the discarded algorithms, exploring the variations permissible within the defined interface, and retaining each functional implementation as a heuristic option allows the system designer to thwart the advantage of the large static target. The varying algorithms can be distributed randomly across the installed base as polymorphic patches. As long as the variant algorithms are strictly conformant to the well-defined interfaces, and the interfaces are well designed, it works. The downside to this is that some algorithms are, let's face it - sub-optimal. The diversity of algorithms is an advantage here as a feedback mechanism will reveal optimizations that yield net losses due to secondary effects. This will winnow the dozens of algorithms to a few. Even with only a few performant options per algorithm given the vast number of subsystems in a desktop or server operating system, we'll not run out of permutations before the end of time.

When each subsystem might be any one of several implementations that achieve the same object, the monolithic cathedral of code with a universal backdoor is prevented. Patches can randomly rotate the heuristic until the exploitability of individual platforms is not predictable. Performance of an individual system will vary to a degree, but not necessarily so in net - the distribution of performant vs sub-optimal algorithms can be intelligently distributed so that they average out and one system doesn't have all sub-standard algorithms. Positive feedbacks can indicate exploited components and replace them in an evolutionary fashion before they can be combined synergistically into a chain of exploits that go from basic entry to system privilege. The feedback can also gauge the quality status of the code, and with proper tracking lead back to the outstanding developer for recognition (or the leakmaster for reassignment).

Oh, and no patenting this stuff you bastards! This comment is prior art (ok, I adapted the ideas from some 1980's AI research and Conway's Life - but you can't prove that. Regardless, you didn't invent this stuff and the patents are NOT YOURS).

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>