Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

cancel ×

239 comments

Whatever (2, Funny)

paranode (671698) | more than 7 years ago | (#16135358)

This thing is so hyped up, my IE has never NO CARRIER

The power of Open Source (-1, Troll)

The_Abortionist (930834) | more than 7 years ago | (#16135407)

Until Sun opens up the source to Javascript with a GPL-compatible license, browsing the web will be totally insecure.

Come on Sun, billions of people are counting on you!

Re:The power of Open Source (4, Informative)

dosius (230542) | more than 7 years ago | (#16135449)

You confuse Java and Javascript. Javascript comes from Netscape, not Sun, and it's certainly open source [mozilla.org] for the Netscape implementation (GPL even!). So "whatchu talkin' 'bout Willis?"

-uso.

Re:The power of Open Source (0)

ruiner13 (527499) | more than 7 years ago | (#16135871)

And javascript comes from ECMAScript [wikipedia.org] ... which is an open standard.

Re:The power of Open Source (1)

painQuin (626852) | more than 7 years ago | (#16135684)

billions of people are counting on Sun ... for light and heat and not going spiraling off into the void of nothingness! yeah, that sun.

Sorry, has to be done... (5, Funny)

RManning (544016) | more than 7 years ago | (#16135361)

Dupe!!!

Re:Sorry, has to be done... (1)

Rakshasa Taisab (244699) | more than 7 years ago | (#16135422)

So this is in fact merely a one-dupe exploit?

Re:Sorry, has to be done...To kdawson (0, Flamebait)

cloricus (691063) | more than 7 years ago | (#16135444)

I blame kdawson...Please for the love of god learn formatting!

I realise you are new and it's probably hard though more effort is required! Don't post crap, and don't spam up the crap you do post with extra lines and pointless links and and and and and...Just be CmdrTaco or Zonk then there wont be a problem! It's getting annoying reading /. while you are editing it. :( (Watches karma playfully slide around in the mud from this comment.) Also welcome to our favourite IT news site. ;)

Zonk? Are you kidding me? (2, Interesting)

bunions (970377) | more than 7 years ago | (#16135604)

Half his posts contain simple spelling errors a spellchecker could find, and the other half are dupes.

To be fair to Zonk (0)

Anonymous Coward | more than 7 years ago | (#16135640)

Some of his posts are both error filled and dupes.

Zero-day patch already available (0)

Anonymous Coward | more than 7 years ago | (#16135368)

Details here [browser.org] .

(hey, we gotta get creative every once in a while, no?)

Re:Zero-day patch already available (3, Funny)

Anonymous Coward | more than 7 years ago | (#16135417)

Lynx? The absolutely safest method is this:

$ telnet slashdot.org 80
Trying 66.35.250.150...
Connected to slashdot.org.
Escape character is '^]'.
GET / HTTP/1.1
Host: slashdot.org
User-agent: none



It even makes it easier to read the Futurama quotes in the headers!

Re:Zero-day patch already available (0)

Anonymous Coward | more than 7 years ago | (#16135586)

Ahhh.... telnet doesn't work; just checked it out. This will work:

curl http://slashdot.org/ [slashdot.org] | less

Enjoy........

Re:Zero-day patch already available (1)

imemyself (757318) | more than 7 years ago | (#16135708)

Telnet works just fine for me.


mini:~ idontwanttoputmyrealusernamehere$ telnet slashdot.org 80
Trying 66.35.250.150...
Connected to slashdot.org.
Escape character is '^]'.
GET / HTTP/1.1
Host: slashdot.org

HTTP/1.1 200 OK
Date: Tue, 19 Sep 2006 03:53:05 GMT
Server: Apache/1.3.33 (Unix) mod_gzip/1.3.26.1a mod_perl/1.29
SLASH_LOG_DATA: shtml
X-Powered-By: Slash 2.005000126
X-Bender: That's not my gold-plated 25-pin connector.
Cache-Control: private

Re:Zero-day patch already available (2, Funny)

bangenge (514660) | more than 7 years ago | (#16135786)

I love lynx and all, but there are people who need too see pr0n, right? The more pop-ups that lead to more pr0n sites, the better! Think of the children!

Well yeah (1)

cheese-cube (910830) | more than 7 years ago | (#16135371)

It was bound to happen. Exploits like this don't just go unused. I have a real gripe against Javascript. I hate using it because its messy and insecure. They should really smarten up Javascript just like they did with VB in its .NET form.

Re:Well yeah (2, Insightful)

Scoria (264473) | more than 7 years ago | (#16135390)

You shouldn't blame the language. Blame their implementation of that language.

Re:Well yeah (0, Offtopic)

riff420 (810435) | more than 7 years ago | (#16135394)

Fuck that! I don't care what you say, it's STILL Ebonics' fault!

No, you need to blame Javascript too. (5, Informative)

billstewart (78916) | more than 7 years ago | (#16135456)

Java was designed with a heavy-duty security model, using sandboxes and virtual machines and such to make sure that you could safely download code from other sites and run it, and while it's probably possible for somebody to come up with some implementation bug that lets you outside the box in ways that are exploitable, it's basically been solid since it came out, because it was designed to be safe.


Javascript was designed to be lightweight, friendly, and convenient, and almost anything related to security was later bandaids applied to the gaping wounds. It's possible and easy to write perfectly safe Javascript, but that's unfortunately totally irrelevant because it's possible to write Evil Javascript as well - so anybody who wants to run your "Safe" Javascript has to leave Javascript turned on for the Evil Javascripters as well.


IE does theoretically have a "security zone" mechanism that lets you identify trusted sites, so you can theoretically allow it to run purportedly-safe Javascript from people you trust while not running it from people you don't trust, but that's an annoying hassle. It'd be much safer if they'd built "WimpyScript", designed to be absolutely safe even if all it lets you do is make stuff flash decoratively when you wave a mouse at it; I guess CSS is as close as we get to that. PDF used to be safe, back when all it would do would be display static black or colored marks on virtual paper, but now it's helpfully willing to open web pages and run programs on your PC too.

Re:No, you need to blame Javascript too. (4, Insightful)

homerjfong (709647) | more than 7 years ago | (#16135506)

Don't be silly. The problem is implementation, not the language itself. The language was designed to do things like open windows, add popups, and manipulate strings. The reason there are security holes is that it was implemented as a fully-priveleged com service, as was IE (via shdowvw). Basically the problem is that Javascript in IE can do anything that IE can do, and that IE can do just about anything, including installing software and monkeying around with files. It's possible to implement IE and Javascript in sandboxes just like you describe java. That's why (for the most part) Firefox is ok. It's only when FFX uses some core windows libraries (like WMF) that it gets into trouble. Now: it should be said that this isn't. strictly speaking, Microsoft's fault. They built a very open. flexible system, which was subsequently exploited by a lot of people who want to do you harm. Nevertheless, in the modern internet environment, they should really lock down what they're doing.

Re:No, you need to blame Javascript too. (1)

AnarkiNet (976040) | more than 7 years ago | (#16135540)

But, its a "damned if you do, damned if you don't" situation for Microsoft. If they had "locked down" anything, people would be barking up their tree about lack of interoperability.

Re:No, you need to blame Javascript too. (2, Insightful)

Ucklak (755284) | more than 7 years ago | (#16135581)

No, it stems from the fact that they tied explorer into IE.

They wouldn't have been damned if they didn't, they just would have had to compete on merits instead of pushing product.
ActiveX is what really kicked Netscapes ass because that is what the masses liked, not IE's implementation of JS.

Re:No, you need to blame Javascript too. (2, Insightful)

porl (932021) | more than 7 years ago | (#16135720)

actually, what 'kicked netscape's ass' is the fact that you didn't *need* to download netscape... you already had a browser that the majority of other people used, so why download another one? by the way, i despise the fact that this was done by microsoft, in case you think i was arguing in favour of ie...

Re:No, you need to blame Javascript too. (0)

Anonymous Coward | more than 7 years ago | (#16135508)

You can disable Java Script in Adobe:

Edit ->Preferences -> Javascript ( in categories seciton) -> uncheck the box called " Enable Acrobat Javascript"

Re:No, you need to blame Javascript too. (0)

Anonymous Coward | more than 7 years ago | (#16135591)

Java isn't even secure. The only way to have a 100% secure web browser is to use a text browser with no scripts. Maybe that is what we need to, go back to using text browsers. Web sties shouldn't be using images let alone animations,music,fonts, or any kind of programming. A web page should only consist of markup language and text, nothing more. The markup language should only deal with hyperlinks, text styles such as bold, underline, etc., text input, and maybe colour. The files should only be saved, not run from the web browser with text based files being the only exception.

Re:No, you need to blame Javascript too. (2, Insightful)

joe90 (48497) | more than 7 years ago | (#16135626)

Don't you mean switched off and encased in a few cubic meters of concrete?

There is no such thing as "100% secure".

Re:No, you need to blame Javascript too. (1)

Don Giovanni (300778) | more than 7 years ago | (#16135613)

Couldn't some future browser (hopefully written in c#/.net/mono/cocoasharp) support only allowing per site scripts? Wait a minute! Firefox has the noscript extension, which never allows any javascript except those you explicitly allow.

D'oh!

Re:Well yeah (1, Informative)

Anonymous Coward | more than 7 years ago | (#16135773)

The Javascript language is not insecure. It's a high-level object-oriented language which does not allow you to mess with pointers, memory, etc. What is insecure is MS's implementation of it and the functions they expose to it through various objects.

Wow, nice resolution! (1)

Scoria (264473) | more than 7 years ago | (#16135372)

The Sunbelt blog notes, "This exploit can be mitigated by turning off Javascripting."

I'm certain that most Internet Explorer users don't write JavaScript.

kdawson? (1)

repruhsent (672799) | more than 7 years ago | (#16135375)

More like K-Dupe!

No surprise (5, Insightful)

Cold_Lestat (880518) | more than 7 years ago | (#16135377)

There are so many of these Zero Day exploits popping up that I'm just not surprised (or that interested) anymore. One thing i can't get over is how this is still happening? The ammount of stigma now attached to IE has really damaged the product. If they are wise (Personal Opinion) I would scrap the entire codebase of IE and start with an entireley new one for VISTA and change the name so the product gets a new start at life. I don't know, call it Vic the Vista internet client (or Voom sounds better). I switched to firefox quite a while ago, before that, Mozilla, before that Opera and what the hey i even think i was using Netscape before IE and have never looked back. Sorry IE ;).

Re:No surprise (1)

Schraegstrichpunkt (931443) | more than 7 years ago | (#16135464)

If they are wise (Personal Opinion) I would scrap the entire codebase of IE and start with an entireley new one for VISTA and change the name so the product gets a new start at life.

They could just adopt Firefox if they wanted to, but they won't because it's Not Invented Here.

Re:No surprise (2, Interesting)

smash (1351) | more than 7 years ago | (#16135612)

If they are wise (Personal Opinion) I would scrap the entire codebase of IE and start with an entireley new one for VISTA and change the name so the product gets a new start at life.

This is not necessarily a smart idea.

If you simply start afresh, chances are that you're going to end up with all the same exploits all over again.

They either need to do a full security audit of the code (unlikley for microsoft), or they need to start afresh *and* write it in a language/toolkit that is impossible/much harder to attack via buffer-overflow.

I guess my point is that simply starting over (without changes made to the development method) will not help. I'll be interested to see how many issues vista has actually, seeing as they finally got the TCP/IP stack working reasonably well in XP SP2 and have decided to re-write it for vista from scratch :D

There is no such thing (1)

flyingfsck (986395) | more than 7 years ago | (#16135723)

as bad publicity...

The only thing people remember is the name.

Re:No surprise (1)

strstrep (879828) | more than 7 years ago | (#16135761)

The only reason that there are so many zero day exploits is that they're duped so many times.

Re:No surprise (2, Funny)

AmberBlackCat (829689) | more than 7 years ago | (#16135972)

Guys, my computer's still running. It's running Windows XP and I use all three browsers. I use Outlook and Thunderbird. I haven't reinstalled Windows ever on this machine. It's not crashing. Am I doing something wrong? My phone isn't snapping in half either. What am I doing wrong?

easier solution (5, Insightful)

User 956 (568564) | more than 7 years ago | (#16135379)

The Sunbelt blog notes, "This exploit can be mitigated by turning off Javascripting."

It can also be mitigated by using firefox.

Re:easier solution (3, Funny)

MadMidnightBomber (894759) | more than 7 years ago | (#16135409)

It can also be mitigated by using firefox.

Screw that! I'm going back to "telnet www.google.com 80"

And I'll do that within a VMware image running from a Live CD.

Re:easier solution (1)

benplaut (993145) | more than 7 years ago | (#16135995)

The darn terminal is clogging the tubes!

  gimmick:~ % telnet www.google.com 80
Trying 66.102.7.99...
Connected to www.l.google.com.
Escape character is '^]'.

and then it just stops...
no wonder the internets have been taking so long lately!

Re:easier solution (1, Interesting)

nmb3000 (741169) | more than 7 years ago | (#16135469)

Blah blah Firefox

I suppose now is as good a time as any to ask a question.

I still use IE as my default browser, simply because it loads *fast*. I don't have a brand new system, but when I click the little blue E, I have a browser window inside 2-3 seconds. When I click the little orange fox it often takes up to 8-10 seconds before the window has opened and loaded. I use 'about:blank' for the homepage in both browsers.

Are there any ways to reduce the time to load firefox? I'd even be fine with starting Firefox when Windows loads, keeping the executable in memory. Is this possible? I like a lot about Firefox, but it's startup time and the GUI's "feel" have kept me using IE.

Thanks for any suggestions.

Re:easier solution (1)

shodai (970706) | more than 7 years ago | (#16135501)

There are many IE lookalike skins/themes available for Firefox. FF does have a fairly slow initial loading time, but I think it's only the first time it loads during that session, otherwise it's near instant. There are several tweaks available also, but i've never looked into anything dealing with launch delays.

Re:easier solution (1)

mrbcs (737902) | more than 7 years ago | (#16135517)

Buy more ram. Firefox will take longer to load the first time till it's in memory. IE "loads fast" because it's right in the windows code base. That is also why there are so many problems with it. Since it's tied to the OS, if the browser has an issue.. the OS has an issue.

I use Netscape 7.2 and yes, IE blows it away for start up time. Once I load Netscape the first time, any other time I load it it's almost instant because windows doesn't release the memeory that it's stored in. Doesn't hurt to have a gig of ram either.

Try it. It's way safer and only a slight delay after a reboot.

Re:easier solution (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#16135614)

IE "loads fast" because it's right in the windows code base. That is also why there are so many problems with it.
No, and no. Neither of your "reasons" are correct. Idiot.

Re:easier solution (1)

canadiangoose (606308) | more than 7 years ago | (#16135530)

Well, you could put a link to it in your 'startup' folder and modify the properties of the link to start Firefox minimized. I'm not sure how you could keep a constant copy loaded in the background as I'm assuming IE does. As for the interface, you can get skins for Firefox that look almost exactly like IE.

Re:easier solution (1)

Jerf (17166) | more than 7 years ago | (#16135548)

I'd even be fine with starting Firefox when Windows loads, keeping the executable in memory.
There is a folder in your Start Menu labelled "Startup" (or something similar). Drag a copy of the Firefox shortcut into that folder. It will now load when windows loads. Don't close it.

If you're worried about taskbar pollution... well, you're using the wrong OS. (Or the wrong window manager, anyhow, but my experience is that certain basic assumptions about how Windows works are so deeply embedded into the Windows environment that alternate shells are usually pretty unsatisfactory.)

Re:easier solution (5, Informative)

sporkme (983186) | more than 7 years ago | (#16135592)

Fasterfox [mozdev.org] makes firefox load pages more quickly through various methods.
The Firefox Tweak Guide [tweakfactor.com] has many options for about:config and other tips for improving your specific experience.
Firefox Preloader [sourceforge.net] will make Firefox load more quickly by making Firefox do the same thing Internet Explorer does. Firefox will use system resources before being specifically called. The application will remain resident in memory like IE does, waiting for you to click the little fox. In this way, IE loads faster but slows overall system performance.
How to use UPX to speed it up a little [techsupportalert.com] is what this article can tell you. Probably not the best way to go about it, but I have implemented this method on my HTPC.

It is VERY important to realize that the few seconds you wait around for the initial loading of Firefox are quickly surpassed by the lag you experience while using Microsoft's Explorer. Firefox ignores many advertisements right off the showroom floor, but can be configured to show NEARLY NO ADS AT ALL. FlashBlock, [mozilla.org] AdBlock, [mozilla.org] and NoScript [mozilla.org] will make your browsing much faster and cleaner.

Using Firefox, especially with these and other add-ons, will make your browsing incredibly secure. Explorer is left in the dust in comparison.

So the trade-off you seem to have made is this: A few seconds at load time in exhange for a combined several minutes waiting for ads to be displayed, just so you can fall victim to the shiny! new! IE exploit that seems to get barfed all over Slashdot once a week. This while using an underdeveloped, overpriced, practically featureless browser that has no database of expansions. Unless you are using the Vista beta (7 beta) you aren't even using tabs! Do you choose to commut on a horse? HOW DID YOU EVER SURVIVE THE PERMIAN MASS EXTINCTION? [wikipedia.org] BAH! Why did I bother?

Re:easier solution (0, Troll)

kestasjk (933987) | more than 7 years ago | (#16135747)

Using add-ons like NoScript you can stop Firefox from executing JavaScript without your consent, but IE has this functionality built in. Using the Windows Live addon you can have tabs in IE too.

FF needs add-ons to remove JavaScript, IE needs add-ons for FF's tabs. The reason the IE seems more secure is that fewer people use it, those who do use it tend to be more computer savvy, and IE has bad default security settings (as is the Windows way). You can't really blame the IE team for this.

Re:easier solution (1)

imaginate (305769) | more than 7 years ago | (#16135900)

Or you can just use Opera :)

Re:easier solution (1)

Hachey (809077) | more than 7 years ago | (#16135928)

You sir, are hilarious. 'Do you commute on a horse?!' I cracked up so hard, I'm going to use that one (good heartedly) the next time I switch an IE user. ;)

Re:easier solution (1)

gumpish (682245) | more than 7 years ago | (#16135978)

And which extension plugs the embarassingly large memory leak? I'd like to know.

Re:easier solution (4, Informative)

MightyYar (622222) | more than 7 years ago | (#16135629)

Yup... go here to install MinimizeToTray [mozilla.org] . MinimizeToTray enables the old "-turbo" option on the command line. Quit Firefox. Right click on the shortcut icon for Firefox that you use (mine is in the "Quick Launch" part of the taskbar). Click Properties. In the "Target" box you will see something like
"C:\Program Files\Mozilla Firefox\firefox.exe"
Add the -turbo option so that it reads:
"C:\Program Files\Mozilla Firefox\firefox.exe" -turbo

The behavior now is a little confusing... the first time you click the shortcut, it will not open a window. Instead, it will make a Firefox icon appear in the tray. This confuses the holy fuck out of my wife (rightfully). However, subsequent clicks on the icon will give you instant Firefox. To make it cleaner, you can put a copy of the shortcut in your Startup folder. I don't do this because I hate startup programs :)

Re:easier solution (5, Informative)

causality (777677) | more than 7 years ago | (#16135663)

The reason why IE starts up so quickly is because the act of booting up Windows pre-loads IE in memory. When you click that blue 'E' icon (which points to an .exe file that is about 30k, as the rest is in DLLs which are already in memory), you're loading practically all of the program from memory, not the hard drive. This also means that whether you are using it or not, the amount of memory required for IE is always being consumed, even after you "close" it. Contrast this with clicking the Firefox icon, which has to read the executable off the hard drive and into memory prior to being able to run it. You didn't think the difference was due to IE being a leaner, more efficient program, did you?

There is a utility [sourceforge.net] which will allow you to also preload Firefox in memory on Windows. Of course, this does not give you the ability to unload IE from memory (decoupling IE from Windows, to any degree, is problematic at best).

Of course, how much an extra 6-7 seconds of load time will impact you would depend on usage. Personally I often leave the same instance of Firefox running for days at a time and leave it minimized on a virtual desktop when it is not in use, but if I were really worried about this on a Linux box then I would use prelink [gentoo.org] .

Re:easier solution (1)

cachimaster (127194) | more than 7 years ago | (#16135848)

Good thing that i never go to the porn websites that may trigger th NO CARRIER

javascript (0)

Anonymous Coward | more than 7 years ago | (#16135382)

a lot of commercial sites wont work with JS enabled these days, what a shame.

Re:javascript (1)

Agelmar (205181) | more than 7 years ago | (#16135412)

I have rarely seen a site that won't work with JavaScript enabled. I'm assuming you meant without JavaScript enabled...

Re:javascript (0)

Anonymous Coward | more than 7 years ago | (#16135441)

You don't know what you're missing with Javascript enabled. There's a whole noscript world out there ready to explore and enjoy.

Fine (1)

omeg12121293 (1001552) | more than 7 years ago | (#16135386)

My IE is fine and dandy over here

Let's help users move away from IE. (3, Insightful)

Anonymous Coward | more than 7 years ago | (#16135391)

Why do people still use IE? It's been shown time and time and time and time and time again that it's just not a suitable browser to expose to the dangers of the Internet. And it's not like people don't have alternatives; they do! Opera is free and available on most platforms. Firefox is free and available on most platforms. Seamonkey is free and available on most platforms.

It's rare these days to find a public site that depends only on IE. Most banking sites, which were really the only holdovers, have realized that Firefox support is necessary.

The only reason I can think of is ignorance. But even then, most people likely know somebody who could help them install Firefox or Opera for the first time. Maybe each one of us should pledge to tell one other person who isn't aware of the alternatives about them. Make a pact with that person: if they are pleased with their new browser, or it keeps their Windows system free of malware, have them tell one new person about Firefox or Opera.

Very rapidly, many people will be able to find out about the alternatives, and it'll benefit us all. Us geeks won't have to help relatives and friends with their malware-infested systems. Those users won't have to ask us to help them, or in the worst case, call the Geek Squad or otherwise bring theirs systems in for expensive and inconvenient "decontaminations" (often performed by fools). Plus the private data of those users is far more safe. In short, we all benefit.

Re:Let's help users move away from IE. (1)

Nimey (114278) | more than 7 years ago | (#16135492)

$ORK has a semi-custom intranet app that requires not only IE but ActiveX and (wait for it) the MS Java runtime. No, I don't know what adulterated crack they were smoking; it was before my time.

I've tried to switch users from IE to FF. It's been more successful with the ex-Netscape users, 'cause I can sell it and T-bird as a direct upgrade. Some people need Outhouse's calendaring features, and some people just can't cope with certain webshites not being compatible with FF, and other people just think that Microsoft writes the best software (whether it's from ignorance or just being used to MS products, I don't know). Personally I wish we'd have a Policy that forbids using Intestinal Expander (for security reasons, of course) that I can point to once I've disabled their access with Group Policy, but $DEPT has had a reputation for being jack-booted thugs that management is trying to escape.

Re:Let's help users move away from IE. (1)

soxos (614545) | more than 7 years ago | (#16135651)

It's been said before, but I'll link you to it again. IETab for Firefox will allow users to register sites to use (or open arbitrary tabs) using IE. It's still using IE to visit those sites (through the magic of imbedding) but at least you get your users to get used to Firefox. Then just install cards extension and show them adblock and you may find them as converts. http://ietab.mozdev.org/ [mozdev.org]

Re:Let's help users move away from IE. (3, Insightful)

Z34107 (925136) | more than 7 years ago | (#16135670)

People start with IE because it's the Windows default.

People stay with IE either becasue:

  • They don't care
  • They like it

If they don't care, why should we? It's their computer that they're leaving vulnerable, after all. Besides, Firefox is starting to lose it's most difinitive advantage over IE - as it's popularity is increasing, so is the number of security vulnerabilities found, rivaling and even surpassing IE month to month.

Any differences in "speed" are pretty much a wash, too. Internet Explorer definitely starts faster, but it's integrated with the shell. Firefox uses an ungodly amount of memory and leaks it like a sieve. IE7 waits until it has the page 99% rendered before actually drawing it; Firefox will start drawing immediately, piece-by-piece as the site's downloaded. (Both, in total, seem to take the same amount of time.) ActiveX is known for being full of holes, but at least they try to sandbox it - Firefox extentions just blindly run native code.

Point is that as the differences between the browsers are diminishing - Firefox has forced IE to innovate and comply with standards and more and more pages are designed for Firefox and non-IE browsers. But, the security differences between the two are diminishing, and IE7s interface is cleaner and snappier now, IMHO.

Save the digivangelism for something more important than "Firefox isn't Microsoft." In Vista especially, IE is next to bulletproof - a reworked Windows kernel runs it within a virtual machine of sorts - and IE+Aero Glass has a much cleaner and prettyfuler interface. Use your browser of choice, but with alternatives and a little healthy competition forcing some new life into the browser world, there's fewer reasons to pick one over the other.

Re:Let's help users move away from IE. (5, Insightful)

Anonymous Coward | more than 7 years ago | (#16135835)

because their vulnerable computer, once part of a botnet, can be used to help attack our computers.

why should we get our friends to fix the brakes on their, car? afterall, it's their car, right?

I *only* use IE to run Javascript and ActiveX (4, Interesting)

billstewart (78916) | more than 7 years ago | (#16135392)

If I'm using IE, it's because I'm trying to access some site that uses ActiveX or uses Javascript in some IE-broken way, mainly doing tricks that the people who write the HR apps at work think are "useful", or one of the online web-based conferencing systems we or our customers use.

If I *didn't* need to be doing something dangerous and stupid, I'd be using some version of Mozilla instead of IE. Sigh.


Yes, I know IE has its security zone thingies that give me a way to restrict it, but it's still annoying.

You know... (1)

dexomn (147950) | more than 7 years ago | (#16135411)

You can't blame the vm if the browser is responsible.

Re:You know... (3, Informative)

abigor (540274) | more than 7 years ago | (#16135476)

Javascript has no virtual machine. It is not Java. The two languages are unrelated.

Re:You know... (1)

republican gourd (879711) | more than 7 years ago | (#16135617)

Not *entirely* true. Javascript (perhaps originally even) has some hooks to try and dig functionality out of actual Java Applets - code can be passed back and forth between them. But this was back from the bad old days when everybody thought that Applets would be the way of *everything*, when in fact it turns out they are just good for making spinning cubes and water effects and such.

russian bastards (0, Troll)

darkchubs (814225) | more than 7 years ago | (#16135415)

russian bastards

Re:russian bastards (0)

Anonymous Coward | more than 7 years ago | (#16135438)

Did they kill your son?

Oh wait, that was Klingons.

Anyway, I'm sure the needs of the many outweigh the needs of the few.

Or something like that.

Two browsers... (1, Interesting)

HatchedEggs (1002127) | more than 7 years ago | (#16135424)

This is the reason why I have two browsers... I use IE7 and Firefox, and if an exploit pops up, I can switch to the other until it is plugged. I generally prefer to use IE7 and keep the Firefox for back-up.

Of course, there are also tons of other browsers out there.. but I recommend to everyone to have two so that they can move to the other when an exploit is found in one of them.

Re:Two browsers... (1)

dexomn (147950) | more than 7 years ago | (#16135435)

The question is: Are you going to get 'owned' before you know there is an exploit?

Re:Two browsers... (3, Funny)

Schraegstrichpunkt (931443) | more than 7 years ago | (#16135474)

Of course not! Exploits don't exist until somebody announces them publicly!

Re:Two browsers... (1)

HatchedEggs (1002127) | more than 7 years ago | (#16135531)

Ahh, well that is always the problem, and it could happen to any browser.

Many exploits (though not all) are revealed before they are in the wild. Not all of course, but one has to accept a certain amount of risk. One should definitely take as many security precautions as possible.. but there will always be some risk.

Moo (5, Funny)

Chacham (981) | more than 7 years ago | (#16135455)

Zero-Day Slashdot
Posted by Chacham [slashdot.org] on 10:45 PM -- Monday September 18 2006
from the zero-day-is-overused dept.
[ Slashdot ] [ Teenagers ] [ Slow News Day ]
Chacham [slashdot.org] writes to tell us that an old zero-day Slashdot [slashdot.org] exploit has been found again and again and again. It looks to be a bug in all browsers. This comment notes, "The bug is in the Submit Story [slashdot.org] link, which is apparently easy available in the side bar."

No patch has been released. Story posters are standing by.

Re:Moo (1)

iknowcss (937215) | more than 7 years ago | (#16135509)

This is one of those comments where I wish I had a sock puppet account. One to mark this comment as funny, and one to mark it as insightful.

IE expliots (1)

sporkme (983186) | more than 7 years ago | (#16135475)

For a long time now, I have been sick of reading about IE exploits. When I was a retail repair tech, these could mean an extra buck or two for the next few weeks. The only real news about internet browser exploits comes when browser != iexplore.

Does it really matter anymore? (1)

diablo-d3 (175104) | more than 7 years ago | (#16135478)

If the stats on my website [adterrasperaspera.com] are any indication, there are more Firefox users than MSIE users. Since the beginning of September there have been roughly two times as many Firefox users as MSIE users, over almost 159k visitors.

IE on VM (3, Informative)

coobird (960609) | more than 7 years ago | (#16135488)

It seems like we're getting to a point where probably the only safe way to be surfing is by using a browser on a sandboxed virtual machine environment.

I'm not trying to point my finger only at Internet Explorer, but with security holes that can allow code execution, that's pretty scary. (And another case of buffer overrun? Maybe they ought to rewrite IE as managed code [microsoft.com] , but that's another topic all together.)

Oh that's perfect (1)

internetstruck (1002239) | more than 7 years ago | (#16135505)

"Zero-Day IE Exploit In the Wild" And I learn of this on the day I start surfing the web with Internet Explorer because I got my new computer and had to head over to mozilla.org to get Firefox. I hope the folks over there don't take advantage of all of the Internet Explorer users huh?

IE7? (1)

Kaenneth (82978) | more than 7 years ago | (#16135549)

Is the IE7 Beta/RC/whatever currently out affected?

I thought ... (1)

tomstdenis (446163) | more than 7 years ago | (#16135562)

"zero-day" meant you have something effective before release, e.g. "zero-day keygen" means you have a keygen that works before the product goes retail such that on the first day of distribution people can use it.

Clearly IE has been "out for a while" so you can't make a zero-day for IE.

Tom

Re:I thought ... (1)

smash (1351) | more than 7 years ago | (#16135587)

This is zero day, because it exploits a flaw before it has been reported to (or fixed by) Microsoft :)

It's not IE that's zero day, it's the exploit...

Re:I thought ... (1)

NearlyHeadless (110901) | more than 7 years ago | (#16135628)

From http://en.wikipedia.org/wiki/Zero_day [wikipedia.org]

"Zero-Day exploits are released on the same day the vulnerability -- and, sometimes, the vendor patch -- are released to the public. The term derives from the number of days between the public advisory and the release of the exploit. The term 'zero-day exploits' is sometimes misused to indicate publicly known exploits for which no patches yet exist."

The misuse of "zero day" in this article and "back door" in the Adobe article bother me more than the existence of the exploits themselves! Silly, perhaps, but true!

Re:I thought ... (1)

smash (1351) | more than 7 years ago | (#16135642)

Hrm, regardless of what wikipedia says, i take 0 day to mean "zero warning"... whether it's out before the vulnerability is made public (which it kinda is anyway, by way of the exploit being out for it :D) or at the same time, the end result is the same...

Re:I thought ... (1)

BeeBeard (999187) | more than 7 years ago | (#16135615)

No, but you're close. "Zero day" is a term of art in the warez and virus writing communities. Here it just means that the exploit was released the same day as information about the vulnerability.

Re:I thought ... (4, Informative)

jschottm (317343) | more than 7 years ago | (#16135627)

I thought "zero-day" meant you have something effective before release

In exploit terms, n-day means the number of days after a fix is released for the problem exploited by the attack. Most notable worms of the past have been n >= 1 (often much more) attacks - either someone deduces the flaw based on the patch release or the flaw was already known but only guardedly used in order to do high level target attacks while it was still unknown to the public.

Zero day refers to attacks that are released before the flaw is publically known. It's based on the specific flaw, not the application in general. Zero day attacks are nasty on two fronts - first, no one has specific protection or detection available for it, second, as mentioned, they are sometimes used on very specific targets. There was a recent string of what appears to be industrial espionage where very specific people have been sent MS Office attachments with previously unknown exploits in them.

Re:I thought ... (1)

MadMidnightBomber (894759) | more than 7 years ago | (#16135725)

"zero-day" meant you have something effective before release, e.g. "zero-day keygen" means you have a keygen that works before the product goes retail such that on the first day of distribution people can use it.

"Zero-Day exploits are released on the same day the vulnerability -- and, sometimes, the vendor patch -- are released to the public. The term derives from the number of days between the public advisory and the release of the exploit. The term 'zero-day exploits' is sometimes misused to indicate publicly known exploits for which no patches yet exist." [reference] [wikipedia.org] .

Now, I'd be sympathetic if you said it was a sucky term, but that's the accepted usage for better or worse.

My two cents... (2, Informative)

Antony-Kyre (807195) | more than 7 years ago | (#16135582)

Internet Explorer users should know by now not to surf with Javascript enabled. Disable it and add trusted sites to the "Trusted sites" list.

Re:My two cents... (3, Insightful)

shird (566377) | more than 7 years ago | (#16135824)

You do realise that would result in *less* security? The 'Trusted Sites' zone has far less security restrictions that the 'Internet' zone.

What you propose would require people to add the likes of Slashdot and Hotmail to the 'Trusted Sites' zone to function correctly. This effectively gives such sites far more access than you would probably like, much more than without playing with your 'zones' at all.

thats a daft proposal.

Re:My two cents... (3, Informative)

Antony-Kyre (807195) | more than 7 years ago | (#16135931)

Hotmail yes, because I believe Javascript is needed to click on some of the links, like for the folders.

Slashdot, no. Slashdot works fine without Javascript.

You don't have to pour a bunch of sites into the Trusted sites category. Only the ones that you are positive are safe and constantly use that REQUIRE javascript.

No need to worry! (5, Funny)

Anonymous Coward | more than 7 years ago | (#16135588)

Your Windows Genuine Advantage will protect you!

good thing... (0)

Anonymous Coward | more than 7 years ago | (#16135601)

I use firefox :P

Scientology (Off Topic) (0)

Anonymous Coward | more than 7 years ago | (#16135625)

OT, is anyone else creeped out by this creepy Scientology outfit, Sunbelt, getting into Windows vulns? One sure sees their name all over the place in the last year or so, and no one ever heard of them before. What is the Church of Scientology up to?

Wait... (1)

fullphaser (939696) | more than 7 years ago | (#16135636)

Someone took the time to actually learn vml?

I thought for sure that non W3 sactioned were part of the forbidden scripts

But on a more serious note, the user that understands JS being off, is usually also not running online with IE, and there are even fewer users who have JS off, and run IE. I would say not to much of a threat.

Here's what VML is... (0)

Anonymous Coward | more than 7 years ago | (#16135774)

VML stands for Vector Markup Language, and it's equivalent to SVG. It was in IE5, and IE5 was out before W3C came out with SVG so it's always been an IE-only alternative to SVG.

It's recently make a comeback due to people try to make IE do standards such as WhatWG's Canvas (as supported natively by Firefox, Safari, Opera). And of course people have been mapping SVG to VML in JavaScript.

Oh, okay... (5, Interesting)

Skudd (770222) | more than 7 years ago | (#16135778)

Avoid the bug by turning off JavaScripting. Does anyone else see the issue with that?

One acronym: AJAX.

Looking at a variety of server logs for websites I'm currently in charge of, I see that Internet Explorer, even among the "geek" crowd, still has a very strong foothold in the browser market. I've worked closely with customers of my own and even after explaining the threat to them, they continue to use IE.

Thanks to Web2.0 (and various other forms of propganda), Asynchronous JavaScript and XML (AJAX) has all but taken over the Internet. Now, with a bug such as this, the AJAX-driven sites are in trouble (assuming every IE user does turn off JS).

I'm not about to start a "Browser War" with this entry, but I have to say; IE is a very volitile threat, and an Open Source replacement would more than benefit the well-being of the Internet as we know it. Pick your poison - Firefox, Mozilla, Opera, Lynx, wget - they're all superior to IE in the sense that they are not an integral portion of the operating system, thus they pose less risk to the security of said OS.

Rather than disable JavaScript in every IE install in the world, take the time to replace IE with something far less dangerous and educate the user on the dangers of using IE over the replacement.

Re:Oh, okay... (3, Funny)

93 Escort Wagon (326346) | more than 7 years ago | (#16135845)

"Thanks to Web2.0 (and various other forms of propganda), Asynchronous JavaScript and XML (AJAX) has all but taken over the Internet. ... Pick your poison - Firefox, Mozilla, Opera, Lynx, wget - they're all superior to IE..."

Dude, you must be one master coder - you've got an AJAX framework that will work with wget?

Re:Oh, okay... (1)

Skudd (770222) | more than 7 years ago | (#16135882)

Okay, you've got me there. But still, the point is that IE is the most popular browser, AJAX is becoming increasingly popular, and the advisory suggested disabling JavaScript.

this article sucks (1)

larry bagina (561269) | more than 7 years ago | (#16135812)

Theres two pictures proving the computer was up to date with all patches, then a picture of a console window with some gibberish.

I wonder if Keith Dawson's only purpose in lifes it to make Zonk look competent.

Well (0)

Anonymous Coward | more than 7 years ago | (#16135840)

based on their previous fix of teh DRM hole in their WMV software with a turn around of 3 days. expect a patch by the end of the day! Woot! Go microsoft! Show us how to fix critical holes!!
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...