Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Open Source Firm Releases Patch for IE Bug [UPDATED]

CowboyNeal posted more than 10 years ago | from the anything-you-can-do dept.

Internet Explorer 544

An anonymous reader writes "An open source and freeware software development web site has released a patch to fix the URL spoofing vulnerability in Internet Explorer, which can be exploited by scammers who try to trick people into revealing details of online banking accounts or other private information." Naturally, the source for the patch is available as well. Update: 12/19 15:06 GMT by M : Sadly, the patch appears to contain a buffer overflow and some possibly-malicious code - see an analysis and news story, and this comment which suggests the patch author is trying to figure out who is taking advantage of the original vulnerability. Caveat patcher.

Sorry! There are no comments related to the filter you selected.

fp (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7759925)

fp

DMCA violator (5, Insightful)

DigiShaman (671371) | more than 10 years ago | (#7759927)

In other news....M$ slams a DMCA lawsuit for "hacking".

Re:DMCA violator (2, Troll)

pvt_medic (715692) | more than 10 years ago | (#7760105)

Now at first that is what I was thinking when I saw teh article. Clear case of microsoft embarrassment and microsofts reaction would clearly be one of litigation (now of course, it still is likely to do that) but is that the best thing for microsoft. One of the reasons other systems have such good security is because they have a consortium of people and organizations working on them. If microsoft took this approach they could move to be a more secure environment (they still be evil)

My 2 cents worth

In other news... (5, Funny)

BladeMelbourne (518866) | more than 10 years ago | (#7760111)


Open Source Firm Releases Patch for IE Bug

In other news...

Today Micro$oft contributed code to the Linux kernel, and announced plans to help iron out differences between Mozilla and MSIE :-)

... huh? (2, Interesting)

TellarHK (159748) | more than 10 years ago | (#7759930)

I can't even come up with a good joke for this. Seriously. It's just too good. Way, way too good.

Re:... huh? (0)

cristi1979 (678494) | more than 10 years ago | (#7759969)

yap... Microsoft never stops to impress me. So ther is a point for them to exist!

Re:... huh? (4, Funny)

arvindn (542080) | more than 10 years ago | (#7760079)

Try some of these (funny yet scary at the same time):
  • Next time there's a hole in MSIE so big you can drive a cart through it, MS will release a patch in a week and say: "See! We told you we're more secure than open source. We have a patch out already and openwares.org hasn't yet!"
  • People will believe them when they say that
  • Openwares is going to get sued by MS claiming there's no way they could have released a patch unless they illegally obtained the source
  • I'm sure there's a joke or three out there about the name (wares->warez) but I can't find it :)

well done (4, Insightful)

b4rB3li7h (687311) | more than 10 years ago | (#7759933)

trust OS people to fix what M$ can't find profit for!

Lawsuits? (0)

Anonymous Coward | more than 10 years ago | (#7759935)

How long til they're sued by MS?

EASY FIX (0)

Anonymous Coward | more than 10 years ago | (#7759939)

Try to remove the color-problem by restarting your computer several times. -- Microsoft-Internet Explorer README.TXT

Hm... (0)

Anonymous Coward | more than 10 years ago | (#7759940)

When Microsoft can't do it anyone can!

No Trusted Computing logo on patch? (5, Funny)

Anonymous Coward | more than 10 years ago | (#7759941)

I'm not downloading anything that isn't part of a MS plan. Sounds like a trojan attempt to me.

Re:No Trusted Computing logo on patch? (1)

FunkyELF (609131) | more than 10 years ago | (#7760134)

...me neither. Where are the supposed 'sources' for thie fix, all I find is IEpatch.EXE

Acceptance? (2, Interesting)

xeno_gearz (533872) | more than 10 years ago | (#7759945)

This is great that they did this but perhaps resources would be better spent developing for Mozilla? It will be interesting to see how Microsoft react to this. Why is the group [openwares.org] releasing this on their own? Was Microsoft contacted?

Unfortunately, with this being an unofficial release, I don't see many people likely to utilize this until it is released by Microsoft. In the meantime, I am enjoying reading this in Mozilla :)

Re:Acceptance? (4, Funny)

TellarHK (159748) | more than 10 years ago | (#7759952)

Why is the group releasing this on their own?
To quote the wise sages of the Quake 3 voiceover...

HUMILIATION!

Re:Acceptance? (5, Insightful)

DavesWorld334 (714899) | more than 10 years ago | (#7760019)

Pretty sure this makes Microsoft look really inept. I mean, if the largest and richest software company in the world can't patch their own products before a group of volunteer coders can figure out a fix ... seems to me that makes M$ look like fools.

My US$0.02, unadjusted for inflation of course.

Inept and free! (4, Interesting)

fm6 (162816) | more than 10 years ago | (#7760143)

Pretty sure this makes Microsoft look really inept.
Since when have they needed any help with that?

If people are doing open source IE patches, would somebody please fix this sucker [google.com] ? Thousands of people are complaining about this bug online, yet MS hasn't even officially admitted its existence. Now that's inept!

help plx k thx (0, Insightful)

Anonymous Coward | more than 10 years ago | (#7759947)

i am confused about what i shuld do. my mommy touched my pee-pee and made my soldjer stand at atenshun. she was proud of my soldjer but then she said it is cold out and he should be warm so she put my pee pee in her hooha. that was warm and nice but then something happened and my soldjer got real slick and wet and made a mess all over my mommys hooha. she called me a dirty little boy and gave me a slap on the face and a whupping with a switch.

i dont know what to do. my pee pee felt good in her hooha but how do i not make a mess? and why am i going to burn in hellfire for forever and ever and ever, amen?. jeses knows i didnt try to be a bad filthy little boy and make a mess and deserve a whupping, right? please help me because she said my soldjer needs to get warm again. i think that is true but i dont want to be a filthy evil little boy and have hellfire.

I already got the patch (2, Insightful)

Anonymous Coward | more than 10 years ago | (#7759948)

It's called Mozilla/Firebird.

Re:I already got the patch (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7759956)

Tres amusing, monsieur. Do you *try* to be a horse's ass or does it come naturally to your kind?

Re:I already got the patch (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7759971)

You're the one using French, so I'll ask you the same question.

How were they able to make such a patch... (5, Interesting)

znode (647753) | more than 10 years ago | (#7759951)

Without the original source to IE?

Re:How were they able to make such a patch... (4, Interesting)

epiphani (254981) | more than 10 years ago | (#7760033)

Exactly what I was going to ask. How do you "patch" software without the original code? You'd basically have to reverse engineer the software, back to some other form of programming language - probably ASM.

Now, just as a quick check, isnt reverse engineering any M$ product against the EULA? I seriously expect a lawsuit about this.

Also, patching a binary - that requires *very* detailed knowledge of the binary itself, not? You cant just diff two binaries, and apply patches like that, can you? Run into adressing problems, not? I've never really studied the end result of my code beyond a little gdb'ing.

Re:How were they able to make such a patch... (1)

goranb (209371) | more than 10 years ago | (#7760126)

It very much depends...
Judging by the bugs description, the bug isn't spread out through much code... It might just be a condition in an (at least in the original source) if construct...
Changing that might require only changing a few bytes of the executeable code, which can be done without any real problems...

Re:How were they able to make such a patch... (4, Informative)

WolfWithoutAClause (162946) | more than 10 years ago | (#7760129)

You'd basically have to reverse engineer the software, back to some other form of programming language - probably ASM.

Off-hand- I'd probably stick a debugger on it, viewing the code at assembler level, and trace the carriage return in from the OS; or something like that. I mean the OS has to call or return to IE when the carriage return is hit; there can't be that many places in the code where it is waiting for input- stick a breakpoint on all of them, and whichever one gets hit after you click on the carriage return is starting to process the code. Run it multiple times with different input and pretty soon you should start to see the patterns.

It's not especially easy, but it's doable, I've done stuff like that before. It's easier if you have the source code, but it's just slower if you don't.

Re: isnt reverse engineering against the EULA? (2, Funny)

NortWind (575520) | more than 10 years ago | (#7760152)

Maybe they forgot to sign the EULA?

Re:How were they able to make such a patch... (1)

fishbowl (7759) | more than 10 years ago | (#7760098)

I hope that tools and techniques for dealing with object code become more common. Think about it, if you had the tools you have today, how much easier would your life have been back in the z80 and 6502 days? Imagine when the community gives up on the whole "open source, exposed source, shared source, published source, whatever source", never mind that, we can work with object code anyway.

New MS Security Fix (5, Funny)

Ironclad2 (697456) | more than 10 years ago | (#7759953)

This patch fixes a security bug in Internet Explorer that could allow someone who actually knows what they're doing to repair buggy programs on your computer.

MODE PARENT UP! (0)

Anonymous Coward | more than 10 years ago | (#7759982)

Mod it funny! You know you want to!

Re:New MS Security Fix (0)

cristi1979 (678494) | more than 10 years ago | (#7759995)

say what?

Good to know... (4, Interesting)

TSR Wedge (732684) | more than 10 years ago | (#7759954)

Good to know that while Microsoft is leaving its users hanging out to dry patch-wise, the community still cares enough to fix the problems. Who knows -- maybe we'll see more effective (i.e., fixing more problems than they cause) patches from here forward.

And this matters why? (5, Insightful)

Anonymous Coward | more than 10 years ago | (#7759955)

So, there is an open source patch for a browser that the people that would have heard of the patch wouldn't use, the /. readers ought to be using mozilla and they know it, if they aren't using mozilla they probably will not install the patch either.

the people that would likely be fooled by this haven't heard of mozilla and haven't heard of open source and will not hear of this patch.

so this patch is pointless
(cool that it can be done though)

Re:And this matters why? (4, Insightful)

s20451 (410424) | more than 10 years ago | (#7760041)

so this patch is pointless
(cool that it can be done though)


Ah, but my good Mr. Coward, far from being pointless, the patch puts Microsoft in a delicious conundrum! Either accept and distribute an open source patch (thereby publicly validating the open source model), or ignore the patch and get sued by customers, because a patch existed that they did not publicize.

ps. Are you related to Noel Coward? Send my regards.

What the "patch" really does.... (5, Funny)

mikewren420 (264173) | more than 10 years ago | (#7759957)

What the article doesn't say is that the "patch" just removes IE and installs Mozilla. :)

Re:What the "patch" really does.... (1)

bstadil (7110) | more than 10 years ago | (#7760044)

Excellent joke/idea.

I bet if you included the IE theme [mozdev.org] less than 25% would ever notice.

The Extras like Tabbed Browsing and Pop-up blocking would just be normal MicroSoft Innovations TM

Re:What the "patch" really does.... (1)

Stween (322349) | more than 10 years ago | (#7760165)

> The Extras like Tabbed Browsing and Pop-up
> blocking would just be normal MicroSoft
> Innovations TM

So why wouldn't you want credit for the work to go to the Mozilla group? Would anybody really want the situation where Microsoft are falsely credited with that amount of work?

Seriously. (0, Insightful)

Chess_the_cat (653159) | more than 10 years ago | (#7759959)

Why should I trust this? Yeah, the source code is available, that's great. I'm not a programmer so it's meaningless to me. Without the MS seal of approval I won't be installing this. It's so damn sketchy.

Re:Seriously. (5, Insightful)

56uSquareWave (726317) | more than 10 years ago | (#7759990)

Ahem you cant see the source code of IE but you trust that? okay then

Re:Seriously. (1)

Clever Pun (729719) | more than 10 years ago | (#7760036)

And hasn't Microsoft shown already that what they think is safe, and what really is are often two very different things?

Re:Seriously. (1)

_Sexy_Pants_ (703751) | more than 10 years ago | (#7760037)

Insightful the first time you said it maybe

Re:Seriously. (4, Insightful)

Atlantix (209245) | more than 10 years ago | (#7760050)

Sounds like you're in a no-win situation. You won't install a patch without the MS seal of approval but the patch (allegedly) repairs a known flaw in a product that HAD the MS seal of approval. So that begs the question: What is the value of the MS seal of approval if they're wrong? You'll never be able to install anything!!!

--Atlantix

Re:Seriously. (1)

56uSquareWave (726317) | more than 10 years ago | (#7760069)

So that means for something to be safe it cant have the MS seal of approval so... um...

Install linux right? ;)

Re:Seriously. (2, Funny)

NamShubCMX (595740) | more than 10 years ago | (#7760150)

he's actually in a "too-much-win" situation :P

(t'was easy, sorry)

Re:Seriously. (0)

Anonymous Coward | more than 10 years ago | (#7760077)

"Yeah, the source code is available, that's great. I'm not a programmer so it's meaningless to me."

Okay, this is just an admission of ignorance. We're all ignorant outside our areas of expertise.

"Without the MS seal of approval I won't be installing this."

Microsoft wrote the bugs. They won't share their source code with you. They often deny or ignore real problems. They lost an antitrust suit. And you trust them?

Are you an accountant? (2, Insightful)

Idou (572394) | more than 10 years ago | (#7760135)

I guess you don't invest in any stock then . . .

Being open is not for your benefit because you have any clue how things work. Being open allows objective 3rd parties who have a clue to give an opinion on the matter so that the clueless masses (though shrinking everyday) can make a decent decision. To benefit to you is indirect, but it is a real tangible benefit, nonetheless.

Now, objectivity and expertise to you might simply be synonymous with "MS," but if the financial market were that naive I doubt we would have ever recovered from the great depression . . .

Hope my reality wasn't too harsh for your bubble.

Re:Seriously. (0)

Anonymous Coward | more than 10 years ago | (#7760170)

ya i was looking at the source code and what the patch does is that it hooks up to the IE before navigate event and then parses the url and redirects the user as needed. This is really a neat hack.

if the executable is built from the same source then the patch is sure sane.

Long live Mozilla!!!

Direct Link to patch (4, Informative)

bogie (31020) | more than 10 years ago | (#7759967)

For the adventurous among you.

http://www.openwares.org/downloads/IEpatch.EXE

Re:Direct Link to patch (-1, Redundant)

Anonymous Coward | more than 10 years ago | (#7759975)

Why should I trust this? Yeah, the source code is available, that's great. I'm not a programmer so it's meaningless to me. Without the MS seal of approval I won't be installing this. It's so damn sketchy.

Crikey, mate. (2, Funny)

IvyMike (178408) | more than 10 years ago | (#7760084)

That's not a link! This is a link:

http://www.openwares.org/downloads/IEpatch.EXE [openwares.org]

P.S. I haven't actually tried the executable out, I just added the clickable goodness. I also couldn't pass up the chance to make a Crocodile Dundee joke.

Re:Direct Link to patch (4, Informative)

GaelenBurns (716462) | more than 10 years ago | (#7760108)

Thanks. I've patched my test system and it didn't even require a reboot! Windows has come so far... when you use as little MS software on it as possible.

Anyway, I've tested IE by running through some windows updates and going to a few exploit test sites. Everything has behaved as it should.

By the way, one of the joys of this patch is that when you browse to a site attempting the exploit, you get one of those nice IE error pages, formatted in the traditional way. Except, instead of seeing Microsoft branding all over it, the Openware patch is referenced. I don't know... having this little bit of OSS within IE warms my heart. And just in time for the holidays!

Software that never needs a patch. (0)

Anonymous Coward | more than 10 years ago | (#7759968)

Will there ever be a day? It's like fixing something old. Keep patching it, then someday give up and get a new one.

Ummm (1, Interesting)

rabtech (223758) | more than 10 years ago | (#7759978)

I don't know about you folks, but this appears to redirect your request to their cgi script, which ostensibly will allow or deny it based on whether or not it is vulnerable.

This looks like a horrible way to "fix" the problem.

This doesn't actually fix the problem (4, Interesting)

realdpk (116490) | more than 10 years ago | (#7759981)

If you check the code, all it appears to do is redirect the browser to http://www.openwares.org/cgi-bin/exploit.cgi?URL if someone clicks on a bogus URL.

The overpresence of "strcpy" is a bit unsettling, too.

While it's a nice step, it's no replacement for an official Microsoft patch.

Re:This doesn't actually fix the problem (0)

Anonymous Coward | more than 10 years ago | (#7759993)

Agreed. Butwhy should I trust this? Yeah, the source code is available, that's great. I'm not a programmer so it's meaningless to me. Without the MS seal of approval I won't be installing this. It's so damn sketchy.

Re:This doesn't actually fix the problem (1)

dema (103780) | more than 10 years ago | (#7760049)

While it's a nice step, it's no replacement for an official Microsoft patch.

Yea, it doesn't fix the problem AND break something else. :\

Re:This doesn't actually fix the problem (0)

Anonymous Coward | more than 10 years ago | (#7760082)

strcpy seems ok, but what about the strcat calls in IETray.cpp? It seems surl is 256 bytes, 47 static bytes are added and then sFake and sTrue. Will this never add up to more than 256 bytes? Does it even matter if it does?

Re:This doesn't actually fix the problem (1, Interesting)

Anonymous Coward | more than 10 years ago | (#7760113)

people look at the source code, the strcpy is not copying a passed var.. its harmless..

How? (4, Insightful)

blair1q (305137) | more than 10 years ago | (#7759983)

How do you patch closed source code?

By violating the EULA by disassembling IE?

Lovely. I want Bill Gates poking around my sock drawer because I installed an unauthorized patch...

Perhaps more? (1)

sznupi (719324) | more than 10 years ago | (#7759985)

I wonder when OSS folks will release their version of Wind...no, wait, ReactOS team isn't sleeping, doing nothing, I think :P

Re:Perhaps more? (1)

bhtooefr (649901) | more than 10 years ago | (#7760026)

Umm, they're up to 0.1.5, at least, and they've got a screenshot of 0.1.6.

Huh? (1)

Steve G Swine (49788) | more than 10 years ago | (#7759988)

How is having an open source patch for a closed source product different than a closed source patch?

Seems to me that all you know is that somebody who presumably knows more than you can about the underlying code is doing stuff to it. You're still risking the same badness whether you read what they give or not.

The patch may be marvelous, but I can't see why anyone cares about its source.

Re:Huh? (0)

Anonymous Coward | more than 10 years ago | (#7760110)

becasue it comes from another vendor - and one that many people have not heard of - how do we know that the code doesnt have something malicious or stupid in it?

easy - read the source! without the source the patch is much less trustworthy. ( actually this applies to ALL software ;) )

and if you cant read code, there are plenty of people who can - if there is a problem with the patch you can bet people will be howling about it on /.

Re:Huh? (1)

GaelenBurns (716462) | more than 10 years ago | (#7760146)

Shouldn't that be obvious? At least with the source available you know that they aren't doing something overtly immoral with their code like installing a porn server on your machine or using you to send spam. I agree that because you only have a portion of the source you can't be certain that negative things wont happen... but at least I'm protected from more than an annoyance. In the worst case scenario, I'll have to re-image the drive with a clean install as a result of poor interoperation between this patch an IE's closed source.

Can we really trust this patch? (3, Insightful)

GoofyBoy (44399) | more than 10 years ago | (#7759989)


A third party releasing a patch to a browser. How safe is this?

Yes the source code is there, but how do we know the executable doesn't have crap in there?

Even if everything is clean now, how about the next patch from another source?

(Not even saying anything about testing and how it can break something. They don't even have the source code of the original product.)

Re:Can we really trust this patch? (0)

Anonymous Coward | more than 10 years ago | (#7760012)

Agreed: why should I trust this? Yeah, the source code is available, that's great. I'm not a programmer so it's meaningless to me. Without the MS seal of approval I won't be installing this. It's so damn sketchy.

Re:Can we really trust this patch? (1)

Atlantix (209245) | more than 10 years ago | (#7760115)

Identical posts in different threads, very lame.

Re:Can we really trust this patch? (1)

donkeyoverlord (688535) | more than 10 years ago | (#7760070)

A third party releasing a patch to a browser. How safe is this?
Well the source is there for a reason, for review and so that you can compile the patch yourself. I could care less where the patch comes from as long as it works and doesn't try anything sneaky. This is what open source is all about if your not going to trust it then stay with closed source and ummm trust that!

Re:Can we really trust this patch? (1)

bsharitt (580506) | more than 10 years ago | (#7760091)

Yes the source code is there, but how do we know the executable doesn't have crap in there?

Get the sourcecode,chech it and recompile and use that.

Re:Can we really trust this patch? (3, Insightful)

Atlantix (209245) | more than 10 years ago | (#7760096)

Good questions. It's hard (maybe impossible) to know that an open source patch to a closed source product doesn't break something else. On the bright side, you can know the executable doesn't have extra crap. The point of releasing the source code is so anyone can compile it and verify it actually produces the executable.

--Atlantix

Insert (1)

smitty_one_each (243267) | more than 10 years ago | (#7759992)

Comment about Open Source browser <your pick here> as a better general patch for the woes of IE.
For a dual-boot configuration, I'm still in favor of a FAT32 partition between NTFS and <favorite open source file system>, the beauty of which is that Mozilla mail can be pointed to a single set of folders on that FAT32, regardless of which OS is booted.
Now, if only the Palm desktop stuff could achieve such flexibility; I still wind up duplicating data in the Palm desktop under redmondware, and JPilot under Linux.
Which isn't too much to have to complain about, now, is it?

Will this violate the EULA? (3, Insightful)

jaxdahl (227487) | more than 10 years ago | (#7759999)

Does applying a third party patch violate the EULA for IE?

Use Mozilla Firebird (1, Insightful)

Tuqui (96668) | more than 10 years ago | (#7760000)

A Better solution:
Use Mozilla Firebird

If MS is too slow... (0)

intuit (729653) | more than 10 years ago | (#7760001)

If the open-source community is able to put out a patch to fix vulnerabilities faster than Microsoft, this could happen more often. If it happens more often, then perhaps Microsoft could just stop trying to patch its own OS and programs altogether. Just a speculation, not too likely.
i just know that MS won't speed up their patching to beat the open-source community. :)

No thanks (5, Funny)

Anonymous Coward | more than 10 years ago | (#7760007)

Sorry, but its going to be a cold day in hell when I run something from a website named "openwarez.org".

OMG!!! (4, Funny)

Infernon (460398) | more than 10 years ago | (#7760016)

It didn't ask me to reboot afterwards!!!
Someone start knitting a sweater for Satan...

What about Microsoft (1)

chrispyman (710460) | more than 10 years ago | (#7760017)

What happens when Microsoft releases their official patch? While being open source, who's to say that it will play well when Microsoft releases their official patch?

Mmf. (5, Informative)

BJH (11355) | more than 10 years ago | (#7760018)

It's only "open source" in the very loosest sense. From the patch:

Internet Explorer URL Spoofing Security Patch

Developed by Opensoft Corporation, Vanuatu

Contact: opensoft@openwares.org

Opensoft Corporation, Vanuatu
Copyright 2003 All rights reserved.

Terms of Agreement:

By using this source code, you agree to the
following terms:

1) You may use the source code, resource
files for educational purposes only.
2) You MAY NOT redistribute this source code
without written permission. Failure to do
so is a violation of copyright laws.
3) The author of this code may have retained
certain "additional copyright rights".
If so, this is indicated in the author's
description.

bad idea (1, Insightful)

ghettoreb (711310) | more than 10 years ago | (#7760021)

this is good in the short run, but bad in the long run

people voluntarily patching M$ products will lessen the pressure on M$ to write code with fewer bugs in the first place. Also without knowing the source code, reverse engineering the program and writing patches is risky at best: who knows what this patch might break after extensive testing.

Also: when (and if) M$ actually releases a *real* patch for the problem, how will that work with this open source patch?

Microsoft. Where did you want to go yesterday? (2, Insightful)

rice_burners_suck (243660) | more than 10 years ago | (#7760024)

Heh, count on the open source community to do Microsoft's job. What else do you expect?

I can tell you this: It doesn't surprise me that Microsoft isn't doing its job properly. It's a software company. It should produce a reliable product. But instead, it produces trouble.

Further, it doesn't surprise me that the open source community is fighting back, so to speak, by fixing this particular problem. I think that as time goes by, more patches for commercial software will be released by independant programmers in the open source community, because of frustration with the inability to get satisfaction from the "real" producer of the software.

I only hope that Microsoft won't pull some stupid DMCA bullshit to stop this. "Yeah, your honor, we believe it is detrimental to the best interests of our customers when bugs in our software are fixed. It should, instead, be illegal to discuss, fix, or exploit these bugs in any way, unless one is a member of the underground h4x0r community, in which case, exploiting the bugs is perfectly ok." (We all know Bill Gates is the leader of all these movements to steal credit card numbers through exploits in his own code. That's how he earned his zillions of dollars. Nobody actually buys stuff from Microsoft, you know.

Re:Microsoft. Where did you want to go yesterday? (0)

Anonymous Coward | more than 10 years ago | (#7760040)

Heh heh. That's very funny. But I have a much better solution: simply install Mozilla Firebird.

Oh, did I mention it's free?

I'd guess it's an ActiveX plugin? (1)

thecampbeln (457432) | more than 10 years ago | (#7760027)

If I were going to make a patch such as this in the manor in which they did (that is, they patched a Microsoft program when they themselves are not Microsoft), I'd write an ActiveX browser plug-in that simply scrubbed the URL before it was processed by the browser!? I've not looked at the source code for it, but is this what they've done?

And no matter how they did it, how freaking embarrassing is this for Microsoft? "Our software is so flawed that unauthorized third parties can fix it faster then we can." Oh thank god NORAD is using that shit!

This will go far (3, Interesting)

Ridgelift (228977) | more than 10 years ago | (#7760055)

While Microsoft has released an article providing details about the vulnerability, the company is yet to provide a patch.

I hope this become a trend and attitude among the Open Source community. I must admit that I've been a Microsoft-hater for years, but over time I found that people are really put off by anti-corporation sentiments. I suppose it makes sense in a way; If I invested thousands in a technology for my business, I wouldn't want people telling me "Aw man! You got totally taken! Windows is total crap!"

If the Open Source community begins patching Windows before Microsoft, not only does it help consumers deal with problems they can't solve, but it bring honor and respect to the Open Source community. Then when people consider Open Source, they're more likely to conclude that Open Source programmers are more competant than corporate programmers.

It's a win-win-lose. Open Source wins, Consumers win, and Microsoft loses. Which is what I wanted in the first place.

ESR's right in his article "How to Become a Hacker" [catb.org]

Q: Do I need to hate and bash Microsoft?

A: No, you don't. Not that Microsoft isn't loathsome, but there was a hacker culture long before Microsoft and there will still be one long after Microsoft is history. Any energy you spend hating Microsoft would be better spent on loving your craft. Write good code -- that will bash Microsoft quite sufficiently without polluting your karma.

Couldn't they have engineered the reverse? (0)

Anonymous Coward | more than 10 years ago | (#7760057)

Seriously: why should I trust this? Yeah, the source code is available, that's great. I'm not a programmer so it's meaningless to me. Without the MS seal of approval I won't be installing this. It's so damn sketchy.

Communications Theory (-1)

FUDOH (709123) | more than 10 years ago | (#7760063)

I called Alanis. It was pretty crazy shit man. It was like Agent Smith in Reloaded. I touched the receiver to my ear, and then there was this pop, hissing and electrical discharge, and then, I was Alanis.

So then I was sitting there, and I started playing with my breasts, and with my pussy. And I was really getting into it, there was a mirror on the ceiling and everything. I found a dildo on a nearby nightstand and lubricated it, and inserted it deep into my vagina. I felt it fill me, penetrate me, violate me, deep. I threw my head back, a slight moan escaping me. Then... the phone rang. Fuck.

So then I picked up the phone in the throes of sexual excitement, all pissed off and bothered. But then I heard the electrical discharge, I was becoming, yet again. Suddenly I found myself on the other end of the phone, as the person who had called. I could only listen as I finished the words, "Call 1-800-CALL-ATT!!! It's free for you and cheap for them!!!!"

So then I was like, WTF, I'm Carrot Top. But luckily there was a hot chick there like there always is in his commercials. So I was like, hey baby. And she was like, WTF you freak, just finish the fucking commercial. But I was like, want to see if the carpet matches the drapes? Shortly thereafter, we were having sex. I had her bent over a parkbench, thrusting my cock deep into her pussy, it was dampening more and more, her grip on the bench tightening. Like a dream, I heard the words, "Get away from me you Eight Legged Freaks!!!"

I looked up, my vision blurred. I saw before me David Arquette. He saw the girl and was like, cool!!! He wanted in, I said whatever. So he whipped it out and let her blow him as I did her doggy style. And it was pretty cool. Then David was like, this will be cool!!! And he took out his cell phone and dialed me with 1-800-CALL-ATT. So my cellphone was ringing, and I answered it. Yet another pop, hiss, discharge, and looking back at me was none other than Carrot Top. Looking down, I saw the brunette, fellating me gently. Cool indeed!!!

Then Carrot Top was like, check this out!!! So then he dialed me on his cellphone using 1-800-CALL-ATT, and I answered, and then pop, hiss, discharge, I was Carrot Top once more!!!!!!!! So then the chick was getting all horny over all the money being saved, and she was like, do me!!!!!! So I gave her the phone and told her to ring me up with 1-800-CALL-ATT. And she dialed, and I answered, and then I was her, doubly penetrated, as Carrot Top and David Arquette came, deep inside of me, from both ends.

Well actually, that kind of sucked.

1-800-CALL-ATT!!!! It's free for you and cheap for them!!!!

No updates for December? (2, Insightful)

Neo-Rio-101 (700494) | more than 10 years ago | (#7760065)

I don't have any idea why MS decided to wait until next year before fixing something which is otherwise a severe security issue. I guess everyone is just lead to believe that MS simply doesn't care if your PC gets hacked, because then they can go around and pass the buck to spammers and charge people for an upgrade or support.

I think this patch release makes more of a political statement, regardless of the issues surrounding whether an OSS company should be putting out patches for proprietary products.

Re:No updates for December? (0)

Anonymous Coward | more than 10 years ago | (#7760073)

BUT WHY should I trust this? Yeah, the source code is available, that's great. I'm not a programmer so it's meaningless to me. Without the MS seal of approval I won't be installing this. It's so damn sketchy

Re:No updates for December? (4, Insightful)

Neo-Rio-101 (700494) | more than 10 years ago | (#7760107)

That's not the point. The point is that MS has ignored patching this vulnerability for far too long. It put its promise of "no patches for December" above the real and critical need to update the most common browser running on the worlds computers from hack attacks. Whether you install it or not is your business, and further more, if the patch was truly buggy everyone would be screaming about it by now.

Re:No updates for December? (1)

GaelenBurns (716462) | more than 10 years ago | (#7760167)

The patch is working just fine for me. Didn't even need a reboot.

did anyone else feel it... (4, Funny)

Stevyn (691306) | more than 10 years ago | (#7760068)

when hell just froze over? Will microsoft actually have to acknowledge them? Thank them?

The patch was released a while back!!! (2, Funny)

Eberlin (570874) | more than 10 years ago | (#7760074)

An open source firm issued the patch a while back -- It was called mozilla.

How does this affect IE, the MS EULA, and all the other wonderful legal stuff that could be dragged out simply because you modified software that wasn't meant to be modified outside the confines of One Microsoft Way?

Patch on, I guess...if you must. I sleep much more soundly with my RH9 and Firebird.

Expert Advice (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7760075)

Whether you are attending a private sex party or a public club, there are some good manners that should be followed. Obviously these rules will vary for different parties, but here are a few good rules to follow so that you don't become an unwanted guest and never get invited back again.
  • Don't be a sling lizard - In other words, don't get into a sling unless you have a play partner. And if slings are limited, give other people a change to use the sling.
  • Lay down paper towels on the floor before playing to collect any spilled lubrication. You may also want to place a paper towel under the bottoms butt. Wipe off the play area and the bottom completely before leaving the play area. It is the tops responsibility to make sure the lube is wiped off the bottoms butt and that the floor and sling or table is wiped off and clean for the next person.
  • Ask your host what the house rules are This includes where you are allowed to play and what supplies you should bring (I always bring my own lube, beverage, paper towels and other party supplies to private parties). At THE SLING you can bring your own lube or we sell it there. Bring your own beer if desired, we provide sodas, paper towels, gloves, condoms and shower. For all parties it's polite to bring your own towel in case you want to shower
  • Don't just walk up to a play session and join in It's best to try to get some eye contact to see if they want you to join in. It can be very distracting to be in a scene and have somebody just join in especially if you don't want them there.
  • Keep unnecessary conversation and noises out of the play area Try not to have regular conversations where people playing can hear you. Also, if you are a screaming or make loud noises during play, this may disturb other guests. Some people enjoy the loud moans and groans but many find it disturbing.
  • If you move any equipment around return it to the original spot when done For example, if you raise or lower the sling, return it to where it was when you got there. Or if you move a table or chair, return it.
  • Do not share lube. This can lead to the transmission of HIV and other diseases. The cans can become contaminated while playing so it's good to write you name on the jar of crisco or lube.
  • Wash off hands and arms and dick when done playing Preferrably with an antibacterial soap.
  • Don't walk around the party in street clothes or be a gawkerAt most play parties the guys are usually in jocks or chaps so that their butts are exposed
Proper Fisting Technique Photograph [nero-online.org]

FWIW... (3, Insightful)

NickFitz (5849) | more than 10 years ago | (#7760083)

this is the whois record for that domain from whois.networksolutions.com:

Domain ID:D98313967-LROR
Domain Name:OPENWARES.ORG
Created On:03-Jul-2003 22:49:55 UTC
Last Updated On:02-Sep-2003 03:58:23 UTC
Expiration Date:03-Jul-2004 22:49:55 UTC
Sponsoring Registrar:R14-LROR
Status:OK
Registrant ID:WBMRD
Registrant Name:ori rejwan
Registrant Street1:52 Herbert Samuel St.
Registrant City:Tel Aviv
Registrant State/Province:NA
Registrant Postal Code:63304
Registrant Country:IL
Registrant Phone:+1.97250314892
Registrant Email:orejwan@yahoo.com
Admin ID:WBMRD
Admin Name:ori rejwan
Admin Street1:52 Herbert Samuel St.
Admin City:Tel Aviv
Admin State/Province:NA
Admin Postal Code:63304
Admin Country:IL
Admin Phone:+1.97250314892
Admin Email:orejwan@yahoo.com
Tech ID:AD384-ORG
Tech Name:Mohammed Zarqa
Tech Organization:Tri State Contracting
Tech Street1:POBox 455
Tech City:East Brunswick
Tech State/Province:NJ
Tech Postal Code:08816
Tech Country:US
Tech Phone:+1.7322383766
Tech Email:mzarqa@aol.com
Name Server:NS2.ABAC.COM
Name Server:NS1.ABAC.COM

It's up to you to decide whether you trust them or not.

This is like picking up the Bill Gate's dinner tab (0)

Anonymous Coward | more than 10 years ago | (#7760094)

or having a pop singer babysit for you. It's just *so* wrong on many levels.

Security Hole (0)

Anonymous Coward | more than 10 years ago | (#7760106)

I wish somehow, they would puprosely implement a security hole. Then, be able to exploit that hole to their advantage. uh oh, The FBI is on my tracks. Gotta go. Bye.

Poor Microsoft... (Not really, but...) (2, Funny)

Pathway (2111) | more than 10 years ago | (#7760120)

Poor MicroSoft!

Microsoft's biggest software threat gets a huge update, one of their own products gets a patch by a third party, Real Networks sues them for monopolistic activities, and Lord of the Rings - Return of the King (a movie made with cheap Linux boxes) is realeased. All this in a 48 hour period!

Man, it's been a rough couple of days.

Sm:)e.

Proxy: Better Solution? (2, Insightful)

molafson (716807) | more than 10 years ago | (#7760140)

This patch apparently intercepts the badly-formated URL and then forwards you to patch maker's website.

It would be more efficient, safer, and simpler (no need to do any patching) to implement a similar solution using a proxy like Privoxy. The proxy (installed on your local machine or LAN) would then be used to intercept the badly-formated URL, and replace it with its own locally generated warning page (again, similar to Privoxy).

I think Privoxy is OSS. Maybe someone could whip something up.

Here's the source code... (0)

Anonymous Coward | more than 10 years ago | (#7760151)

#! /bin/sh

cd /usr/local || exit
rm -rf MSIE
tar xf src/mozilla-1.5.tar

OK, that'd be my version, but I always did go for the simple solution.

Free IE patch and fix. (4, Funny)

ratfynk (456467) | more than 10 years ago | (#7760156)

Found a wonderful fix it is called cfdisk! and slackware 9.1 setup, works great and no IE security issues!

The means may be good, but the principle is wrong. (2, Interesting)

DrewBeavis (686624) | more than 10 years ago | (#7760160)

This is the beginning of a really bad precedent. It is bad enough that M$ makes bad software and takes too long to fix it, but this just makes it okay to keep doing that. M$ will know that now they don't even HAVE to fix it. Just wait and let the open source community do it. THEN, when multiple patches start conflicting because of reasons already mentioned above, M$ can blame open source as the problem. Heck, they might even 'embrace' open source for a time, then use this as justification that it open source doesn't work.

Just another example of taking the high road (2, Interesting)

El (94934) | more than 10 years ago | (#7760163)

Open source enthusiasts have TWICE paid to renew Microsoft's domain registries (once for hotmail, once for microsoft UK) when Microsoft forgot... so who should you trust with your data, the people that can't even remember to renew their own domain registrations, or the people that keep bailing them out?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?