Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Web Site Attacks Against Unpatched IE Flaw Spike

Zonk posted more than 8 years ago | from the not-a-good-spike dept.

268

An anonymous reader wrote to mention a Washingtonpost.com article about an increase in attacks against IE users via a critical, unpatched flaw. The bug allows software to be downloaded to the vulnerable PC even if the only act the user takes is browsing to a web site. From the article: "[A] password-stealing program landed on the Windows PC belonging to Reaz Chowdhury, a programmer for Oracle Corp. who works out of his home in Orlando, Fla. Chowdhury said he's not sure which site he browsed in the past 24 hours that hijacked his browser, but he confirmed that the attackers had logged the user name and password for his company's virtual private network (VPN)."

cancel ×

268 comments

Sorry! There are no comments related to the filter you selected.

Lets say it together: (5, Insightful)

gerbalblaste (882682) | more than 8 years ago | (#15004441)

Use Firefox

META MODDERS; Please handle. (0, Offtopic)

WindBourne (631190) | more than 8 years ago | (#15004562)

This is not redundant as it is the first post. It may be redundant overall, but it seems like that is needed.

Re:Lets say it together: (2, Insightful)

mOOzilla (962027) | more than 8 years ago | (#15004692)

This is not enough, when you use other applications for example Yahoo Messenger or MSN Messenger (just examples, there are others) that take a dependancy on the COM components that IE also uses you are vulnerable too. This is why it is just as important to have the IE patches even if YOU do NOT run IE! Other applications that have taken dependancies on it WILL still need to be patched.

Ugh (1, Offtopic)

Wizardry Dragon (952618) | more than 8 years ago | (#15004448)

I know this is Slashdot, but can we at least have a gramatically correct headline?

Re:Ugh (2, Funny)

kevin_conaway (585204) | more than 8 years ago | (#15004494)

Whats wrong with it? I've noticed attacks against the Flaw Spike too.

Ugh (5, Funny)

ZombieRoboNinja (905329) | more than 8 years ago | (#15004503)

I know this is Slashdot, but can we at least have our grammar Nazis spell "grammatically" correctly?

Re:Ugh (4, Funny)

dotpavan (829804) | more than 8 years ago | (#15004549)

spelling Nazi criticizing grammar nazi :)

Re:Ugh (5, Funny)

Anonymous Coward | more than 8 years ago | (#15004666)

That's why they lost WW2.

If that isn't the Most Slashdottish Comment Ever.. (1)

wiredog (43288) | more than 8 years ago | (#15004696)

Cat got your tongue? (something important seems to be missing from your comment ... like the body or the subject!)

Re:Ugh (1)

Feanturi (99866) | more than 8 years ago | (#15004730)

Is that where the pot calls the kettle stupid, culminating in a fist-fight?

Coming soon on slashdot (1)

Spy der Mann (805235) | more than 8 years ago | (#15004747)

I know this is Slashdot, but can we at least have our grammar Nazis spell "grammatically" correctly?

Next! On Slashdot!
Grammar Nazi vs. Spelling Nazi deathmatch!
Sponsored by Uwe Boll films, ltd.

Re:Ugh (4, Informative)

Valdrax (32670) | more than 8 years ago | (#15004540)

Normally, I let my sig do all the griping for me, but this is really bad. It look me three tries to understand what the title was saying. Try the following for maximum clarity:

"Website Attacks Against Unpatched IE Flaw Spike"

Actually, this would be even clearer if you put the verb before the prepositional phrase:
"Website Attacks Spike Against Unpatched IE Flaw"

It's unclear because both "spike" and "flaw" can be verbs or nouns, and the broken "unpatch" disrupts our ability to smoothly interpret the rest of the sentence thanks to turning an adjective into a present tense verb.

(I know I'm not perfect by a long shot on spelling and grammar, but it's not my job to post legibly on Slashdot.)

Re:Ugh (0)

Anonymous Coward | more than 8 years ago | (#15004558)

I didn't have any problems, guess I must be one of those luck people who can understand things and not just take them blindly at face value.

Re:Ugh (1, Funny)

Anonymous Coward | more than 8 years ago | (#15004683)

didn't have any problems, guess I must be one of those luck people who can understand things and not just take them blindly at face value.

How very luck for you.

Re:Ugh (0)

Anonymous Coward | more than 8 years ago | (#15004687)

"I didn't have any problems. I guess I must be one of those lucky people who can understand things and not just take them blindly at face value."

Fixed.

Editors (0)

Anonymous Coward | more than 8 years ago | (#15004729)

Besides, doesn't /. have Editors who should Edit the stories submitted?

Re:Ugh (1)

patternmatch (951637) | more than 8 years ago | (#15004786)

It's unclear because both "spike" and "flaw" can be verbs or nouns...

Since when can "flaw" be a verb?

Re:Ugh (1)

MustardMan (52102) | more than 8 years ago | (#15004555)

I don't really care for correct grammar - but for fuck's sake, can we at least have something somewhat comprehensible?

Re:Ugh (1)

Sabaki (531686) | more than 8 years ago | (#15004744)

I thought that was what grammar was for...

Re:Ugh (1)

hey! (33014) | more than 8 years ago | (#15004626)

I know this is Slashdot, but can we at least have a gramatically correct headline?

That's a result of the well known TCP/IP property of out order packet delivery and a bug in slashcode. The actual title should read "Satanist geek act: balances a wife with kit pups." The article somehow got lost; it was about a company that's offering an AIBO replacement in kit form in exchange for souls.

Porn sites (1, Insightful)

teshuvah (831969) | more than 8 years ago | (#15004451)

That's what you get for looking at porn when you're supposed to be working!

This is becomming not funny (0)

zappepcs (820751) | more than 8 years ago | (#15004452)

And still MS is not releasing patches quick enough... perhaps this will be incentive enough to change that policy?

Re:This is becomming not funny (1)

MSFanBoi2 (930319) | more than 8 years ago | (#15004545)

How? How can Microsoft make the changes quick enough? They have to do MASSIVE regression testing. That takes time.

Re:This is becomming not funny (1)

mOOzilla (962027) | more than 8 years ago | (#15004728)

Very FEW bugs are found by REGRESSION they have also Virtual PCs with various patch levels as a way to DISCOVER bugs. Most bugs are found not by running tests over and over and over its in the DISCOVERY phase. This was not REGRESSION (a bug reactivated due to a change elsewhere - a sideeffect). Since you love WIkipedia here is a link http://en.wikipedia.org/wiki/Regression [wikipedia.org] (A re-introduction of a defect into a later revision of a product).

Re:This is becomming not funny (3, Funny)

kpainter (901021) | more than 8 years ago | (#15004652)

"They have to do MASSIVE regression testing." Ahhh, that explains it. It must be working because IE regresses with each and every day.

Time to really, really sue/open up microsoft (0)

Anonymous Coward | more than 8 years ago | (#15004796)

Why can't somebody with large ammounts of cash, when they get their computers trashed by microsofts obviously crappy products, just sue the crap out of that company and set a precident so that every one can do the same?

If you make a crappy product, you deserve to get sued, the auto companies etc.

In fact, this shows how unbelievably stupid this world situation is, would we accept one auto company making ALL the cars (no, that would be some sort of weird Gilliamest nightmare), one company making all the books, houses, dishwashers etc, yet we accept ONE software company making most of the worlds software?? (how stupid/retarded is that?).

There must be something special about microsoft to warrent this special circumstance? oh, yes there is!, the lack of open software/hardware standards!!
If the power companies were allowed to only provide power to their patent/copyright wires and products that you, the consumer have paid for?

Its time that the future hardware and software (design and interface standards) became unliscenced open world standards, with no one single company/country owning/hiding the specs etc. (and no more hassling of open source too).

The progress of the human race is at stake here, we can't progress in a world of crappy hardware and software (intellectual and materially), just look a what vista is going to require, that viturally half of the worlds current state of the art pc's are going to have to be junked and sent to the land fills so that we can run some fancy eycandy and some badly engineered version of findfast etc. For crist's sake, its just an operating system, they have been making operating systems for 4 dacades now!!!! (go buy a mac or an open source computer, at least they work and you won't be trashing the enviroment!)

linking=vouching for (0, Redundant)

Douglas Simmons (628988) | more than 8 years ago | (#15004454)

You'd think that websites would only link to sites they found interesting (or I suppose were paid to link). People just don't head for these nefarious sites unreferred. So how do these sites get hits? Are they Good sites that have just been compromised?

Re:linking=vouching for (1, Insightful)

FooAtWFU (699187) | more than 8 years ago | (#15004471)

Google?

Re:linking=vouching for (4, Informative)

delirium28 (641609) | more than 8 years ago | (#15004511)

From TFA:

More than 200 Web sites -- many of them belonging to legitimate businesses -- have been hacked and seeded with code that tries to take advantage of a unpatched security hole in Microsoft's Internet Explorer Web browser to install hostile code on Windows computers when users merely visit the sites.

Re:linking=vouching for (1)

Sqwubbsy (723014) | more than 8 years ago | (#15004651)

More than 200 Web sites -- many of them belonging to legitimate businesses -- have been hacked

<slashbot>Lemme guess what those sites were running...
*chortle*
*snort*
*chortle*
</slashbot>

Re:linking=vouching for (1)

99BottlesOfBeerInMyF (813746) | more than 8 years ago | (#15004546)

So how do these sites get hits? Are they Good sites that have just been compromised?

The most common scenario right now is a server is hacked, then e-mails and IMs are sent out with links to it. I don't know of any really popular sites that have been hacked to include this.

Re:linking=vouching for (1)

Machina Fortuno (963320) | more than 8 years ago | (#15004639)

You can always tell what a site is from the URL ya' know! Also... the article mentioned that this was a home computer that was infected. This of course means that along with just business, the computer is used for other things - if not even by other users (wife, kids, etc.). Google... yeah thats a big one. When people use search engines, they many times blindly except whatever link it is to be safe (hehe... I'm guilty). E-mail! A-hah! Someone or something that you trust gets infected, and sends you something automatically... and well, the rest is history. IE? Bah!

Patch released! (5, Funny)

spaztik (917859) | more than 8 years ago | (#15004459)

Download here:
http://www.mozilla.com/firefox/ [mozilla.com]

Re:Patch released! (0)

Anonymous Coward | more than 8 years ago | (#15004700)

Legislation Needed? (5, Insightful)

RunFatBoy.net (960072) | more than 8 years ago | (#15004461)

I understand that there will be bugs. BIG gaping security holes will happen.

I worked at an air force base and they were definitely standardized on IE. Knowing about these bugs and electing _not_ to fix them expediently, couldn't this be considered a threat to national security?

If there are over 160 million+ computers in the US alone, and 90% of those PC's use Internet Explorer, how can the US Gov. not justify action in insisting these issues be resolved promptly?

Jim http://www.runfatboy.net/ [runfatboy.net] -- Exercise for Web 2.0

Re:Legislation Needed? (5, Interesting)

teshuvah (831969) | more than 8 years ago | (#15004547)

I work on an air force base, and not only is IE the standard, but Firefox is on the list of unapproved apps. so if you're caught using it via the monthly scans, you're forced to uninstall it.

Re:Legislation Needed? (0)

Anonymous Coward | more than 8 years ago | (#15004678)

> I work on an air force base

You've got bigger problems than just which browser you have to use, I'm sure.

Re:Legislation Needed? (1)

OmegaBlac (752432) | more than 8 years ago | (#15004595)

I worked at an air force base and they were definitely standardized on IE. Knowing about these bugs and electing _not_ to fix them expediently, couldn't this be considered a threat to national security?

Maybe the U.S. Air Force needs to take the initiative themselves and find some other browser to standardize on such as Firefox or Opera. The US Air Force, I'm sure of it, has knowledge of Internet Exploiter's abysmal security yet because of the so-called benefits of ActiveX and Microsoft's lobbying efforts, the US Air Force only has themselves to blame for using such insecure software. Why wait for Redmond to get up off their asses to fix IE security problems--we are talking almost 20 unpatched/unfixed vunlerabilities for the past couple of years--when you can be using a solution (Firefox, Opera, anything but IE) that at least, at the minimum has a better security track record then IE and timely patching of their software?

Re:Legislation Needed? (1)

value_added (719364) | more than 8 years ago | (#15004637)

Knowing about these bugs and electing _not_ to fix them expediently, couldn't this be considered a threat to national security?

Sure. But like our Commander in Chief said recently with respect to the ports management fuss, we have to balance the interests of natonal security with those of commerce. Achieving a similar balance with individual rights and freedoms, on the other hand, I guess is out of the question.

The moral of the story is that if you're a big company or a monopoly, your interests count. Unless, of couse, you're a member of that small but increasingly vocal minority that actually bothers to vote and can exert some influence on what your elected representatives do to earn their keep.

Re:Legislation Needed? (2, Insightful)

jmorris42 (1458) | more than 8 years ago | (#15004697)

> If there are over 160 million+ computers in the US alone, and 90% of those PC's use
> Internet Explorer, how can the US Gov. not justify action in insisting these issues
> be resolved promptly?

No, how about secure sites take responsibilty for their own incompetence. Both Windows and IE are licensed (and on large sites it really is a license and not a sale) on a general disclaimer of all warranties for suitability to purpose, security, etc. Add in a decade long record of having more remote exploits per year than sendmail's worst year and any IT organization using Windows in general and IE/Outlook especially should be mass terminated for cause, said cause being their choice between gross incompetence and willful disregard for national security.

From a security perspective ANYTHING would be an improvement over deploying Windows/IE/Outlook, OS/2 + Mozilla, Old PowerMacs running OS 9, anything. So any site where security is important, such as the US Military, Department of Homeland Security, etc. deploying the standard Win crap has only itself to blame. Yes saving money by buying COTS is a good thing, but only when it doesn't compromise national security, and if anyone can make an argument that buying Windows isn't risking national security I'd really like to hear em make the pitch.

somebody should tell.. (-1, Redundant)

Anonymous Coward | more than 8 years ago | (#15004463)

..Reaz Chowdhury not to check pron sites with IE :)

"I dont know what sites"... sjeezzz check your history :)

As someone involved in IT... (-1, Redundant)

Anonymous Coward | more than 8 years ago | (#15004467)

... he should know better. Why use IE ?

Re:As someone involved in IT... (0)

Anonymous Coward | more than 8 years ago | (#15004684)

He's not involved in IT. He's a fucking oracle employee - that means he doesn't know jack fuckin shit.

Yep... (-1, Troll)

eno2001 (527078) | more than 8 years ago | (#15004469)

...Microsoft is tough on security like the Bush administration is tough on "terra". ;P

Re:Yep... (0)

Anonymous Coward | more than 8 years ago | (#15004505)

Does that mean we can declare war on Microsoft for having Weapons of Mass Disfunction?

Re:Yep... (1)

Elwood P Dowd (16933) | more than 8 years ago | (#15004559)

In a better analogy, we would declare war on Novell.

That why I stay with #2 or #3 (4, Interesting)

jellomizer (103300) | more than 8 years ago | (#15004485)

My Rule of thumb is whenever possible choose and use the #2 or #3 popular software. The #2 and #3 have enough features to be useful but gets less attention then #1. Use Linux or OS X instead of Windows, Choose Opera, Firefox, Safari over IE. No it is not a fixed in stone rule but I find it helps me out more then it hinders me.

Not really (2, Informative)

WindBourne (631190) | more than 8 years ago | (#15004618)

You are making the assumption that attacks come after the most popular software. If you read the interviews with the coders (not the SKs that will grab, slightly mod, and release them), you will find that they rarely go after code due to popularity. They go after code because it is so simple to do so. Basically, Windows, IE, Outlook, and IIS are just so easy to attack.

In fact, if MS is successful in creating an OS and set of apps that are more secure than the others, it will mean that Linux, BSD, Mac, and other *nix will be the target. Statisically and historically, I seriously doubt that MS can do it, but they appear to be doing the right thing.

Re:That why I stay with #2 or #3 (1)

Machina Fortuno (963320) | more than 8 years ago | (#15004661)

Exploits, viruses, hacks, etc. are made with the intent of abuse. Why would someone waste their time finding a hole in something that 10% of the population uses when you find an easier target with 90%. It isn't that Firefox/Opera/Safari isn't 100% safe... just that people don't go after them quite as much.

Re:That why I stay with #2 or #3 (1)

tpgp (48001) | more than 8 years ago | (#15004680)

My Rule of thumb is whenever possible choose and use the #2 or #3 popular software.

Indeed - I do likewise, which is why I choose to run IIS (tm) on all my webservers, having a lower profile then Apache has made it far less likely to be attacked.

Seriously - whilst there is correlation between popularity of a project & number of attacks, there is no link between popularity and number of vulnerabilities.

A well written application is a well written application, regardless of popularity (look at openSSH).

Re:That why I stay with #2 or #3 (1, Insightful)

Anonymous Coward | more than 8 years ago | (#15004745)

My Rule of thumb is whenever possible choose and use the #2 or #3 popular software.

So your best security advice is to run IIS?

Huh? (0)

Anonymous Coward | more than 8 years ago | (#15004749)

The #2 and #3 have enough features to be useful but gets less attention then #1.

So, you are claiming that as #2 and #3 get less attention, they'll eventually become #1? I don't think so. They can only become #1 by getting more attention, not less.

Now that's a solution! (4, Insightful)

zubinjdalal (816389) | more than 8 years ago | (#15004497)

FTA: Microsoft says Windows users should "take care not to visit unfamiliar or untrusted Web sites that could potentially host the malicious code"...

Sure I could guess but which ones exactly would those be?

Re:Now that's a solution! (2, Funny)

tinkertim (918832) | more than 8 years ago | (#15004551)

I'm guessing Mozilla is at the top of the list ...

Re:Now that's a solution! (1)

thewils (463314) | more than 8 years ago | (#15004602)

My guidelines for using IE are that if I didn't write the site myself, I use Firefox to browse it.

"... said he's not sure which site he browsed..." (5, Funny)

UberOogie (464002) | more than 8 years ago | (#15004500)

*cough*porn*cough*

nope (1)

dotpavan (829804) | more than 8 years ago | (#15004531)

FTFA: "According to a list obtained by Security Fix, hackers have infected at least 200 sites, many of which you would not normally expect to associate with such attacks (i.e., porn and pirated-software vendors). "

So, it wasnt pr0n. But c'mon, couldnt he check the history and let others know?

Re:nope (4, Funny)

UberOogie (464002) | more than 8 years ago | (#15004585)

You and your facts and your articles, bah. It's funnier my way.

Re:"... said he's not sure which site he browsed.. (2, Interesting)

Absolut187 (816431) | more than 8 years ago | (#15004662)

The article says that the user must have "active scripting" enabled to be infected.

I'm surprised that a programmer would not have the common sense to
disable active scripting for the internet at large, and only enable ActiveX and scripting for Trusted Sites.

And obviously you dont put porn in trusted sites.

As much as I hate to defend MS, (MS Word makes me so incredibly angry), but it seems that a lot of problems with IE are really a result of users who don't take the time to secure it in the options. Sure it should be more user-friendly.

Re:"... said he's not sure which site he browsed.. (0)

Anonymous Coward | more than 8 years ago | (#15004734)

Have you ever tried to use Internet Explorer with "Active Scripting" set to ask for permission before running?

It's impossible to get anything done. So you either leave it on (if you want sites with JavaScript to work) or you turn it off and then decide to use another browser.

If you *are* stuck with IE, you can't reasonably get around this.

Re:"... said he's not sure which site he browsed.. (0)

Anonymous Coward | more than 8 years ago | (#15004769)

If you were to spend so much time on making sure your machine that secure, how much time you think have left to be productive? Big O, Zero, Nill, Nada, Zill'sh etc...

*sigh* (1)

bigattichouse (527527) | more than 8 years ago | (#15004504)

Hmm.. I use firefox.

I have probably made over $1000 in the past year in $35.00 incriments just running adaware, hijackthis and spybot for people around town, and then recommending firefox. Probably 10 times that amount for my commercial clients.

I used to run them on my box all the time, until I put firefox on... now I run them once a month or so - mainly for giggles and a healthy dose of paranoia. Clean.

When will they learn?

Re:*sigh* (1, Informative)

Absolut187 (816431) | more than 8 years ago | (#15004607)

I had firefox for a while - not recently - and a lot of sites didn't work properly.

Also, as a part-time webadmin, I noticed that firefox displays things differently from IE.

Since over 90% of visitors use IE, I have to design the site for IE.

So why don't they program firefox to render pages the same way IE does it?

Re:*sigh* (1)

jacksonj04 (800021) | more than 8 years ago | (#15004695)

Because IE doesn't meet the standards. Firefox isn't perfect, but it's a lot closer than IE.

The majority of new browsers (NOT browser installations) are heading towards full standards compliance, so it is in fact IE which is the odd one out despite having the largest slice of users. Since developers get pissed at having to design specifically to work around IE's problems, MS is now seeming to make an effort to meet standards with regards to CSS etc.

Re:*sigh* (0)

Anonymous Coward | more than 8 years ago | (#15004708)

You know, silly stuff like web standards. Stuff only linux hippies care about. They will not make your life easier as a web-admin, contrary to poular belief. Keep paying us at microsoft^H^H^H^H^H^H^H^H^H^H^H^H keep using IE and you'll be fine. It's not like we^H^H microsoft is using web-developers like you to lock in people. Keep up the good work!

Re:*sigh* (1)

Cal Paterson (881180) | more than 8 years ago | (#15004715)

Because it's wrong damnit. Read up on web standards. That is what you should follow when you design a web page. If you're smart you can also use html tidy [w3.org] to fix your broken code in most cases.

Re:*sigh* (2, Funny)

MasterC (70492) | more than 8 years ago | (#15004721)

So why don't they program firefox to render pages the same way IE does it?

I'm just flabbergasted at the thought that I'm not even sure where to begin on a reply. What you are asking...is basically asking them to...break...firefox. I'm all for demolition and breaking stuff just as much as the next guy but that's usually in the name of progress and I see little "progress" in such a proposal.

As lame and well-used as it is: what you're proposing is for the firefox developers to jump off a bridge just becuase 90% of the people are doing it...

By no means am I saying firefox is perfect, but....damn dude.

Re:*sigh* (0)

Anonymous Coward | more than 8 years ago | (#15004723)

So why don't they program firefox to render pages the same way IE does it?


You and 90% of the people who visit your website are depressingly stupid. Get off the internet.

Re:*sigh* (1)

Professor_UNIX (867045) | more than 8 years ago | (#15004725)

Since over 90% of visitors use IE, I have to design the site for IE.

So why don't they program firefox to render pages the same way IE does it?


Because IE is displaying them incorrectly and is not standards compliant. Just because Microsoft's calculator application says 2.45+2.45=5 doesn't mean it's correct. The most intelligent thing you could do is write your web pages for Firefox and then have Javascript that munges the IE-specific parts so it displays "correctly" for users using the broken IE browsers.

Re:*sigh* (1)

Run4yourlives (716310) | more than 8 years ago | (#15004750)

Sigh indeed.

So why don't they program firefox to render pages the same way IE does it?

Because that's not the standard. Firefox (and pretty much any other browser) follows the W3C recommendations closer than IE. IE is the crappy one. Take your frustrations out on them.

Considering IE7 will fix a good deal of bugs IE6 has, you may want to consider learing to code to standard as well... considering that "desiging the site for IE" now consitutes designing for 4 different rendering styles itself (5.01, 5.5, 6, 7)!

Re:*sigh* (1)

makomk (752139) | more than 8 years ago | (#15004790)

So why don't they program firefox to render pages the same way IE does it?

To be honest, between all the bugs, quirks, and unexpected behaviour I doubt even Microsoft could program a web browser that renders pages the same as IE does. (Hell, whenever they release a new version, webmasters always seem to complain about it breaking their pages, and IE 7 probably won't be any different - but they have to live with it).

OLD! Look at the date of this info (1, Insightful)

Anonymous Coward | more than 8 years ago | (#15004514)

What is happening to slashdot? This is sooooo OLD!!!

In other news... (5, Insightful)

zolaris (963926) | more than 8 years ago | (#15004533)

Related, F-Secure posts: "Microsoft has put out a warning on a new, nasty, unpatched vulnerability in Internet Explorer. Proof-of-concept exploits are already out. Disable IE's active scripting or switch to any other browser. Not necessarily Firefox - just any other browser. " It's sad when the solution is "Any other browser".

Re:In other news... (1)

LiquidCoooled (634315) | more than 8 years ago | (#15004664)

Is IE 7.0 included in that definition?

Re:In other news... (1)

zolaris (963926) | more than 8 years ago | (#15004798)

I am going to take a wild stab and assume they meant stable non-beta releases.

Here we go again.... (4, Informative)

beheaderaswp (549877) | more than 8 years ago | (#15004535)

Sometimes one wonders how Microsoft maintains it's customer base in the face of these kinds of security problems. It's truly scary. And I don't need a refresher in the market forces at work.

Over on the linux, and alternative browser side, where I live, I see patches coming out very quickly for any kind of exploit.

Sadly, the patch for the new IE flaw is scheduled for April 11th? This is according to a BBC report here:

http://news.bbc.co.uk/2/hi/technology/4849904.stm [bbc.co.uk]

Can't they do better than that? How about an emergency patch, followed by a fully tested one? Just something to knock the vulnerability into non-functional status? Hey, it's fine if the patch is imperfect- I'll beta test to save my banking information. Really.

I suppose I wouldn't have a problem with Microsoft's monopoly if they actually service me as a customer well enough that they deserved a monopoly position. I like a lot of their software. But these kinds of security issues need to be addressed better and faster.

Ironically, I pay a lot less for my linux servers and get better responses for both support and patches. That makes a difference to me.

Re:Here we go again.... (0)

Anonymous Coward | more than 8 years ago | (#15004576)

Microsoft can't do it any earlier, because they have redirected all programmers to work on Vista.

Serious Question (not flaimbait) (3, Interesting)

MudButt (853616) | more than 8 years ago | (#15004537)

What's the general opinion? If the majority of casual surfers used Firefox or other alternative, would reverse engineers switch focus to those apps?

If the goal is to infect the most systems, then by defualt, you'd avoid Mozilla or Konqueror simply because (at best) you could only hope to control a fraction of machines with active internet connections. Maybe this question has been asked before...

Re:Serious Question (not flaimbait) (2, Insightful)

99BottlesOfBeerInMyF (813746) | more than 8 years ago | (#15004645)

What's the general opinion? If the majority of casual surfers used Firefox or other alternative, would reverse engineers switch focus to those apps?

What makes you think the majority don't focus on alternative browsers now? From what I've seen there are about as many people pounding on Firefox as there are on IE. It's just the people who find things in Firefox usually get them fixed much more quickly. Of course if Firefox gains in market share more people will look for holes, but that does not mean it will ever have the level of problems IE does because of the design decisions and the development process. Heck, right now their are two completely different unpatched remote exploits to install and execute Foo via IE. The fact that a hole can be discovered, reported, the discoverer can get tired of waiting for MS, it can be publicly published, someone can make an exploit, and script kiddies can deploy it everywhere all before MS can get a patch out is intolerable. That more than one such hole can happen at a time is just sad.

Re:Serious Question (not flaimbait) (1)

redheaded_stepchild (629363) | more than 8 years ago | (#15004658)

It's not a question of perfect, unexploitable code, it's a question of timeliness to patch the exploit. AFAIK, Firefox, Opera, etc. tend to have turn around times far quicker than MS does for IE. This particular exploit has been out since what, December? And they apparently plan to patch it in April? That's an awfully large gaping window for the script-kiddies to go to town. Also, whenever MS does release a patch, there's a fair chance the patch itself is exploitable or opens another exploit. Besides, why use a browser you KNOW will be compromised one way or the other when there are functional, similar-to-use browsers available for FREE? Top that off with the optionals being somewhat more secure by default, more compliant with web standards, and user-configurable (let's hear it for Firefox Extensions).
 
Seems like a no-brainer to me...

Re:Serious Question (not flaimbait) (0)

Anonymous Coward | more than 8 years ago | (#15004665)

"What's the general opinion? If the majority of casual surfers used Firefox or other alternative, would reverse engineers switch focus to those apps?"

Why would you need to reverse engineer software when you have the complete source code?

"If the goal is to infect the most systems, then by defualt, you'd avoid Mozilla or Konqueror simply because (at best) you could only hope to control a fraction of machines with active internet connections. Maybe this question has been asked before..."

If browser market share was more evenly split, this disincentive would apply to *all* of them.

Will IE in Vista be in managed code? (3, Interesting)

WoTG (610710) | more than 8 years ago | (#15004544)

Of all the bits of software in Windows, perhaps the IE should be at the top of the list for migrating to .net managed code. It seems to be the most problematic (not necessarily because of code quality, but because it's a big juicy target for hackers).

Re:Will IE in Vista be in managed code? (1)

SloppyElvis (450156) | more than 8 years ago | (#15004784)

Not if Richard Grimes' analysis [slashdot.org] is correct...

a programmer for Oracle Corp (1)

Ajehals (947354) | more than 8 years ago | (#15004554)

So he really should know better then?

Enter Sherlock Holmes ... (1)

molarmass192 (608071) | more than 8 years ago | (#15004761)

So he really should know better then?

From that one line I deduce that you've never worked at Oracle. There are still some talented people there, but much of the top talent has long since jumped ship.

Screw that - use IE (0, Flamebait)

Weaselmancer (533834) | more than 8 years ago | (#15004593)

And keep on using it. IE gets attacked most often because it's the most popular browser.

It keeps my Firefox experience nice. And it keeps the guys at Geek Squad employed.

Was the City of Tuttle, Oklahoma... (5, Funny)

sharkey (16670) | more than 8 years ago | (#15004596)

one of the sites that has been "hacked" to exploit this flaw?

Keep an eye on this one.. (5, Informative)

Dynamoo (527749) | more than 8 years ago | (#15004603)

If you're an admin of machines running IE then it will be worth keeping an eye on this one. The best place is the Internet Storm Center [sans.org] which usually updates several times a day and links to other sites of interest. (Be sure to check the diary archive).

This is a little like the WMF flaw [microsoft.com] that became known just after Christmas. Eventually MS had to provide an out-of-cycle patch (even if it was just a few days early) because of the bad press they were getting. From the looks of things, the patch for this one will be ready soon too.. so any kind of noise you can make to get an early release would be a Good Thing.

Yeah yeah, MS will get a lot of flak from Slashdotters on this, but you should bear in mind that they also provide some decent patching tools like WSUS [microsoft.com] for administrators to roll these things out. Personally, I never use IE on my Windows box, but I'm afraid it's still a fact of life in most large businesses.

Windows is more secure. (2, Insightful)

xmorg (718633) | more than 8 years ago | (#15004606)

I have heard about all these tests that they put up a windows server vs a Linux/BSD server and you get Windows being more "secure" in certain areas, etc.

But this is what we are talking about when we says LESS secure. Anyone running a server in a professional environment is expected to know what he or she is doing. What windows lacks in security has to do with workstations/personal computers at a persons home browsing the web on IE, who is not a security expert and shouldnt need to be! Windows continues to leave the \windows \windows\system, windows\system32, and the system registry wide open to any executable/script hacker who wants in.

My friends logon to the net and start clicking around, etc, and whala! you are full of virii and malware so thick it baffles most techs nowdays.

IE7 beta2 is the solution? Not for 2K users (2, Insightful)

smooth wombat (796938) | more than 8 years ago | (#15004619)

From the article:

Microsoft says Windows users should "take care not to visit unfamiliar or untrusted Web sites that could potentially host the malicious code" and that people who want to use IE should either disable "active scripting" or download the IE7 beta2 preview.

That's nice. Now when is Microsoft going to code IE7 to work on the hundreds of thousands (millions?) of pcs still running Windows 2000?

They're not? You mean I have to shell out more money to get a fix for a problem which is caused by their product?

Just another reason not to go with Vista. Another Mac convert on the way.

Re:IE7 beta2 is the solution? Not for 2K users (0)

Anonymous Coward | more than 8 years ago | (#15004650)

Title: WTF! (0, Offtopic)

starman97 (29863) | more than 8 years ago | (#15004629)

Someone's been smoking way too much crack@!

That title makes no sense at all.
It's just a list of keywords for google to latch onto.

Use IE to browse your own website only (1)

Eustace Tilley (23991) | more than 8 years ago | (#15004654)

What kind of wishful thinking persuades someone that IE is suitable for browsing any website except the ones you have written personally?

easy fix in XP (3, Interesting)

TheRealBurKaZoiD (920500) | more than 8 years ago | (#15004659)

Just set a software restriction policy to disallow executables from running from your temporary internet files. It's one of the first things I ever do when I set up my PC. Easy-peasy, japanesy.

It just never stops (0)

Anonymous Coward | more than 8 years ago | (#15004682)

How many patches for IE bugs have we been through? How many more do you suspect there still are? Does anyone really think IE7 will be any better? Why isn't everybody using any other browser? Let me emphasize that: any other browser does not have this problem and most every other problem that IE as suffered from for the last 10 years! Why the hell is everyone still using it? Why will everyone still be using it when the next vulnerability is discovered that allows hackers to steal passwords, bank accounts, everything? When will Microsoft finally be liable financially for the shitty code they have foisted upon the world?

Sites wit hthe attack (0, Redundant)

G00F (241765) | more than 8 years ago | (#15004685)

"said he's not sure which site he browsed in the past 24 hours that hijacked his browser"

Sure he does, he just doesn't want to admit to otehrs that he still surfs pr0n.

DISABLE ACTIVEX!!! (1, Informative)

erroneus (253617) | more than 8 years ago | (#15004694)

For crying out loud, that's probably like 99% of MSIE's vulnerability. I know it's one of Microsoft's "gems" and one of its primary tools to keep the competition locked out the areas they currently control, but it's seemingly forever the access point to evil-doers' access to peoples computers. Disabling ActiveX is almost always if not entirely the answer to the problem in the short term.

I don't know what the best answer should be for those who need to use activex in the meantime... I guess it's kinda like smoking or other addictions that are generally risky and unhealthy -- it's painful to stop but pretty damned necessary.

Editors let another dupe through? ;) (0, Offtopic)

necro2607 (771790) | more than 8 years ago | (#15004719)

Man, those Slashdot editors sure do let a lot of dupes through, eh? ;) hehehe...

What do the Wall street guys think? (0)

Anonymous Coward | more than 8 years ago | (#15004756)

It is going to be interesting to see when one of these "late patches" will cause major infection on computers, used by the Wall street guys, who analyse Microsoft corporation as a business.

Microsoft's new product line development is pretty much based on more sophisticated, easier integration of different, existing Microsoft products and features - instead of new products. These integration features create security risks.

It's like having a mining company, which has a business model, which is specifically based on exploring increasingly dangerous resources. At one stage this business strategy itself will have to be deemed extremely risky and unmaintainable.

Is Microsoft approaching this borderline?

Repeat after me--"Use FireFox" (1)

bill_kress (99356) | more than 8 years ago | (#15004785)

Use FireFox, Use FireFox, Use FireFox, Use FireFox...

I know I'm preaching to the choir, but maybe we need another round of "Spread the word". I keep the "Open in IE" function available for emergencies (like a root login), but by default I use a browser that is not so heavily integrated into the OS, is lighter weight and is peer reviewed.

Why aren't we ALL insisting on these features wherever possible???
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>