Microsoft Corp.’s effort last week to fix a vulnerability in the Internet Explorer (IE) Web browser program and end the latest series of Internet attacks doesn’t address another closely related and dangerous vulnerability, according to a security specialist.
New Microsoft patch doesn’t plug all holes
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
How many of these vunerabilities found in the past several weeks has affected those who are test-driving SP2?
I’m not. I suppose that anyone still using IE is just asking to have their computer messed up.
My wife returned from vacation to a new policy at our desktop – use Firefox 1st then use IE if required. She was very cool about it and joked she would install “The Weatherbug” and Webshots!!
MS NEEDS to rewrite IE and no SP is going to fix the inherent problems with broken windows. I love my XP desktop and have been lobbying for an Apple PC. Apple can really come out swinging with some new ads along the switch lines but with a focus on security.
Is the fact that IE needs more than patches/fixes to catch up. MS won the browser war, and then dropped any worthwhile development on it. I honestly don’t see any reason WHY to use IE other than sites that only work with IE. The browsers based on Gecko, khtml are lightyears ahead, and conform to the standards much better. Do yourself a favor and install firefox. You will will be suprised by the difference it makes.
I can’t think of even one of my friends/family members, that has a Windows Machine, and is on the internet, that isn’t plagued by spy-ware, ad-ware, and blaster worm varients.
Windows XP SP2 will hopefully fix some of that, but they will still have the problems with IE, Outlook, Windows Media Player, etc. Every one of my friends/family that I’ve hooked up with Firefox, are much less aggrivated when talking about their computers. They even have moved on to asking me questions about how to do some task, or complete work of some sort. That’s the kind of question I should be answering.
People keep buying MS junk, so Microsoft gives people what they want……..an OS and wares filled with holes. Talk about the blind leading the blind!
“Every one of my friends/family that I’ve hooked up with Firefox”
I’m doing the samething, Firfox runs great. Well I’ve only used it for one day so far, but I will be telling my friends about it.
I also hook my friends and family up, but I’m getting tired. Whenver a new version comes out, I try to upgrade them all in order to keep them all current. However, the developers are making my life harder by breaking extensions (such as adblock) from release-to-release, so I can’t just send them an email and say ‘download this executable and install it.’ Instead, I have to go to their house and update the thing myself. I hope they quit screwing with the extensions after 1.0 comes out.
As for IE, even if it’s on your system, it’s really only a problem if you use it
this was the perfect “excuse” to install FireFox on my dad’s laptop. Sensible thing to do as well…
without the publicity, I doubt I could have convinced him.
Firefox is and has been superior to IE for quite a while now. I’m glad they have been working on importing settings from IE so that it’s easier to recommend to inexperienced users.
I’m so tired of walking my friends/family through removal of spyware and whatever else IE has let through the backdoor.
There should be an API freeze when Firefox 1.0 is released, just as it was when Mozilla 1.0 was released. Then, you have gold-standard software to give to your family and friends, and not have to worry about compatibility breaking.
why is this a surprise to people?
Anyone here have any clue what uses adodb.stream? I am getting ready to deploy it throughout the enterprise, but I am fearful that it will break something, like most of the hotfixes do.
web browsers should NEVER be able to edit, move and/or delete and local files on a computer, and local file managers should never be internet aware, combining these features is allways asking for trouble, dont believe me then try this on your windoze box, open Internet Explorer and type in C: and hit enter, then you can use Internet Explorer as a local file manager, OR open Windows Explorer and type in an internet address http://www.someinternetwebsite.com/ and you can see that your local file manager can also function as a web browser, Microsoft integrating a web browser in to the OS was their biggest mistake, sure it won the browser war but at what cost, Internet Explorer is losing that war big time now, and Mozilla & Firebird is winning that war now…
>the most secure version of Windows ever
Its not hard to shout, look at it like this: our new washing (ariel) X powder is the best of all our washing (ariel) X powder. People get fooled people buy. I wonder if its possible to sue MS for all there lies and misleadings torwards their users.
this hole in my head? That damn lobotomy is never going to heal
I’m open to all sorts of viruses, bugs, and malicious acts… It’s not funny!
Previous Poster: Never File Manage / Web Brows in the same app. Not necessarily true. As it was mentioned KDE has done that for years. There are many conceptual (if not implementation) similarities Between IE / Konqueror (khtml). They both act as container apps for a pile of underlying components. The difference is that KDE people took the concept of never letting khtml itself, or any of the other modular KDE componets it uses, fudge with the filesystem without asking for a lot of concent. Having a filemanager & web browser tightly integrated with you desktop is nice. Nice if the web browser component wasn’t designed by a bunch of people who never saw broadband with semi-static IPs as something to keep an eye on, or by people who have a belief that, ‘no our platform really is secure’, and with users who thing ‘not me, that can’t be right’. . .
web browsers should NEVER be able to edit, move and/or delete and local files on a computer
Care to explain where it’s going to store cookies/bookmarks/preferences/downloads/cached pages then?
The browser _HAS_ to be able to manipulate local files. The question is how to limit the number of files to only those absolutely necessary.
File access is just a symptom. It’s plugins and wierd auto-installing crap that is the genuine problem here. Somewhere along the line the browser stopped being a browser and started being a “Platform”. IE isn’t alone in this attitude. Even the Mozilla people insist on making a “Platform” not a browser.
In short browser security is going nowhere. We’re only ever going to see more holes, because the feature creep seems unending.
It’s been interesting at work this week, being asked to install firefox on ppl’s (including the boss) comps. I’ve been advocating it since it was called phoenix, but noone was listening–until now. Good times.
“Even the Mozilla people insist on making a “Platform” not a browser.
”
oh come. MS tries to do it by integrating a browser with the OS. mozilla tries to do it by coming up with XUL as a cross platform technology along with xpi and stuff. they are no where similar
…with which way you go, no matter what. Firefox has a vulnerability, which allows arbitrary program execution.
http://www.eweek.com/article2/0,1759,1621463,00.asp
So here’s what I’m saying; don’t take this news as the _only_ reason to switch to Firefox. If you like IE stick with it, if you are scared of IE, beware the alternative. Nothing is perfect!
I stand firm on my conclusion that Firefox is a better browser, by the way. IE is just too far behind on technology. Firefox looks and feels a lot nicer.
So is that going to be their standard practice for patching, offering them as extensions? Not that it’s a bad thing, just different
“So is that going to be their standard practice for patching, offering them as extensions? Not that it’s a bad thing, just different
”
not really. this is just a fast temporary fix to do it. they are planning a 0.9.2 pretty soon. You can just change the option in about:config
Read mozillazine.org for more details
So is that going to be their standard practice for patching, offering them as extensions? Not that it’s a bad thing, just different
It’s not actually an extension per se. It doesn’t even list under installed extensions once installed. I compared a “patched” and unpatched Firefox installation and the only noticable difference is that network.protocol-handler.external.shell preference is now set under about:config, and has a default value of false.
I guess that if it was a cross-platform exploit (this one only affects Win32 builds), or the faulty code is in the core “engine” itself, an extension would not be feasible or even possible.
“Internet Explorer is losing that war big time now, and Mozilla & Firebird is winning that war now…”
Not really…IE is still, by far, the most popular web browser right now. We can only hope the masses get a clue and realize that IE is a crappy browser that can only result in problems.
I switched to Firefox 2 years ago (back when it was “Phoenix”) and haven’t looked back…I have been much happier since then.
>…with which way you go, no matter what. Firefox has a
>vulnerability, which allows arbitrary program execution.
>
>http://www.eweek.com/article2/0,1759,1621463,00.asp
Funny, again its only under Windows….
I don’t know, I just odn’t like the idea of the file manager sharing the same interface as a browser, it doesn’t make sense.
However I do think Explorer (win32) is the best file manager I’ve used, it’s simple, and no it doesn’t share the same itnerface. Konqueror is so complicated as both a file manager & browser.
ok bas I have no idea what you were trying to say
Firefox is open source, and binary builds are available for multiple operating systems.
I think what bas meant was that only Firefox that’s compiled for Windows is affected. The exploit is not known to work on other platforms.
that was very diplomatically explained, however, I think arielb was using a bit of sarcasm in his reply.
i think arielb understood exactly what bas was saying, he just made this reply as a bit of humour. it was subtle humour indeed and although I got it, I am sorry you missed it.
yes i realise KDE & Konqueror does act as it does, someday when and IF Linux dominates the desktop KDE/ Konqueror could be an Achilles heel for Linux just as Internet Explorer/Windows Explorer is for Windows…
yes i uderstand Browsers need a Cache,Bookmarks, Plugins, the cache in Mozilla is encryped (i think?) take a look at mozilla’s cache it can not be read by Windows, KDE/Linux can figure out what the files are by content but WIndows needs that stupid three letter file extention that is attached to the end of every file..
the cache & plugins should be kept in a sand box that is forbidden to access the rest of the OS, (just my $0.02)
You have really not got a clue. It would not matter if Linux was on every single pc in the world, it would not suffer any of the security flaws that IE has.
Why are you comparing Linux (the OS) to Internet Explorer (an application)? Anyway, you assume that the Linux security model would hold up if you had a user at the keyboard who would do anything you told him/her to (including giving you his/her root password).
the previous poster suggested you cannot compare IE with the windows OS. incorrect, micorosft has such bad pracriuses as allowing their own application deep into the kernel privilege levels.
and this is one of the major reasons why (1) we used to see such deep crashes from userland applications, and (2) now we see such deep security intrusions.
so, yes – you can compare Linux OS with the windows/ie combination when talking about security.
It would not matter if Linux was on every single pc in the world, it would not suffer any of the security flaws that IE has.
Linux or Windows you’ll have the same problems. If you take the Windows user who automatically clicks OK to anything that pops up on their screen, then you’ll have a Linux user that types in the root password whenever they’re asked for it.
That might sound silly, but users are currently presented with so many OK/CANCEL type popups that they start hitting OK without even bothering to read the popup text.
If they have to enter a root password every time they install a piece of software/update/change config then they’ll very quickly start to treat it the same way.
Hell, I sometimes find myself jumping to root just to avoid getting yes/no queries when deleting stuff. That’s very bad practice and I should go change the alias, but it illustrates my point.
The OS just can’t protect itself from its users’ lack of knowledge when they have full access. A clueless Windows user is going to run a Linux system that’s just as wide open to attack as their Windows system. I don’t think anyone would disagree that Linux is more secure out of the box, but I definitely think that the difference between Linux and Windows security drops significantly once you put a knowledgeless user in charge of the root password for a while.
you both do not have a clue either……
it does not matter if a linux user is conned out of his root password or not. if that was to happen and something was installed on his pc and ran.. big deal, it would only be their computers that are affected not everyone elses. granted, all the files on that pc could be damaged or deleted, or whatever, the point is that the virus would not spread to any other linux machine without them users blindly giving out root passwords and clicking ok to everything.
Err made a valid point.. Ex-Windows users probably will give out the root password, but I honestly think that they will only do this ONCE.
The main difference between IE/Windows lack of security and Linux security is this… Linux needs the user to do something extremely silly. Windows doesn’t. It is possible to bork a windows system by opening IE, then WALK away from the computer for a while and let the auto-installing, auto-running malware do its stuff.
This is the difference. This is why Linux is infinately more secure than WIndows, now and in the future.
cheapskate was the one who originally brought up the point of linux being attacked just like IE, not me. I seen the flaw in his statement, but just respoded anyway.
that I was thinking of writing a little something of my own…
it would be phished in the classic way.. spammed out to everyone everywhere…
the first screen would ask the user to type in the administrator password (for windows) or the root password (for linux, solaris, bsd etc etc) and ask for OK to be clicked
if the window gets closed, then fair enough
but if the password gets entered and OK clicked then the next screen would simply have the following message.
“Please pack you computer into the original package that it came in. Take it back into PC World and tell the salesman that you are simply too dimwitted to be let loose with a PC”
You can alter the quote to make the message as strongly worded as you like
raver31: you both do not have a clue either……
I don’t do professional tech support for computers but every so often people call me and ask me for my help. Almost a full 100% of the time the problem was either caused by a stupid user or (even more often actually) a stupid “professional” who setup or fixed the computer earlier.
Most problems I’ve encountered were either avoidable (if the computer was setup or fixed properly) or were actually DIRECTLY caused by someone.
But it’s obvious why an average user would have such problems, they don’t know really when to click ok, enter their password, or whatever and when not too. And in the case of the Windows professionals I know (who are about my age and now handle Windows networks for companies or do tech support for home users or what have you), the vast majority of them learned ALL their skills while playing Quake/Starcraft/Whatever and while trying to pirate the game so they wouldn’t have to pay for it. As a result, what do you think they really know? (And yet some of these same people think they are computer “gods”. Heh. Ya right.)
I’m not saying Windows and IE don’t have serious bugs, but even if they didn’t we’d still see a large number of problems simply because of all the stupidity floating around.
raver31: it does not matter if a linux user is conned out of his root password or not. if that was to happen and something was installed on his pc and ran.. big deal, it would only be their computers that are affected not everyone elses.
Let’s see… If that computer got infected by a virus that places itself in other executable files, then it will infect other files on the system. If that computer were trusted by someone else, then they might simply copy some program over to their own computer and they would trust that program. Would they question running the program as root? Doubtful.
That is how some of this stuff spreads on Windows computers.
raver31: The main difference between IE/Windows lack of security and Linux security is this… Linux needs the user to do something extremely silly. Windows doesn’t.
Actually… From my experience, the biggest difference is the defaults. For example: Under Windows, by default all files with an EXE extension have permission to execute. However, you can change that by simply going into the advanced security window and set Execute to Deny. If you do that for a drive or a folder all files will not have permission to execute and it will be the default for all new files on that drive or in that folder. And yet, some people believe you can’t do this type of thing in Windows.
the previous poster suggested you cannot compare IE with the windows OS. incorrect, micorosft has such bad pracriuses as allowing their own application deep into the kernel privilege levels.
True to the last statement, but practically speaking, IE is just like any other application – it doesn’t affect you unless you’re actually using it. This isn’t really the same thing as a flaw at the OS-level.
granted, all the files on that pc could be damaged or deleted, or whatever, the point is that the virus would not spread to any other linux machine
Oh yeah, I’m sure that the person, who probably was assured by some zealot that if they switched to Linux, they would have any virus and/or security problems, is going to feel good about it because afterall, at least they’re not infecting anyone else when their own system gets trashed.
it does not matter if a linux user is conned out of his root password or not. if that was to happen and something was installed on his pc and ran.. big deal, it would only be their computers that are affected not everyone elses.
If you can instruct a user to hand over his root password, you could then scan his hard drive (esp. the /home directory) for any files containing email address, and automatically send an email out to his friends instructing them to do the same thing. Plus, any Linux box that has been compromised could potentially be used as a zombie in a D.O.S. attack.
Err made a valid point.. Ex-Windows users probably will give out the root password, but I honestly think that they will only do this ONCE.
I think you underestimate the intelligence of the average computer user. I’ve seen people who still continue to open up every email attachment that comes down the pipe, even after getting nailed with a virus from doing this very thing.
The main difference between IE/Windows lack of security and Linux security is this… Linux needs the user to do something extremely silly. Windows doesn’t.
In this case, how did the Melissa virus and others like it spread? Did Windows users not have to do anything to get infected with those?
This is the difference. This is why Linux is infinately more secure than WIndows, now and in the future.
Well, I’ll let you get away with that statement, but that’s a far cry from what you said originally:
It would not matter if Linux was on every single pc in the world, it would not suffer any of the security flaws that IE has
Though you did not state it exactly this way, but your statement read like “If you use Linux, you won’t have any security issues whatsoever.” This kind of statement has the potential to give people making the switch a false sense of security.
You know I read Bugtraq from time to time. I can’t tell you how many times I’ve read exploits that say works with current IE plus service packs. Truth is, responsible disclosure dictates that you contact MS before you release an exploit. Certain Bulgarian and Chinese researchers keep finding holes and opt not to contact MS, which is their choice as they found the hole.
web browsers should NEVER be able to edit, move and/or delete and local files on a computer
As seen on Bugtraq, there is a patch called Qwik Fix that fixes the my computer zone bug, er “feature.” Thing is most recent (and unpublished) IE exploits usually depend on the my computer zone in the chain of things. Several exploits are multi-step and Qwik Fix stops them. I don’t use it on client’s machines, but you may find it to do the trick on yours.
There’s also a hardened version of IE, but i can’t remember the darn name. so IE has been rewritten in a sense, just with aftermarket patches. Or just install Moz for email, newsgroups, and WWW.
“The main difference between IE/Windows lack of security and Linux security is this… Linux needs the user to do something extremely silly. Windows doesn’t.”
In this case, how did the Melissa virus and others like it spread? Did Windows users not have to do anything to get infected with those?
Linux is NOT perfect, there are rootkits and exploits for linux too. Thing is, the problem is due to fundamental bugs (features!) in Outlook and IE. You are free to browse the Vuln Dev, Bugtraq archives at seclists.org. They will fully substantiate what I am saying, excepting my occasional newbish errors.
Melissa i can’t remember. I think it was a VBS script that required user intervention to replicate and spread. However, that said, Outlook and IE have had exploits which merely require clicking on the message and reading it, or viewing a simple web page. In IE this is primarily due to the way it handles JS, Java, VBS, zones and so forth. Mozilla is more cautious. Sure there will be a Moz exploit eventually, but IE will intrinsically have more holes. That said, IE and Outlook can be hardened with proper config and hardening tools. Thing is most admins don’t even know how to do this, much less poor end users.
This is going to an increasing issue. There are already whole books on hacking client (not just server) apps, including Java, J2EE and so on.
Though you did not state it exactly this way, but your statement read like “If you use Linux, you won’t have any security issues whatsoever.” This kind of statement has the potential to give people making the switch a false sense of security.
I’d totally agree. My personal feeling is OS like Multics and OpenVMS are way more secure in their default configuration than linux is. Both windows and linux are heavily attacked at this point. Most researchers looking for holes in clients like IE are focusing on windows at this point, partially because windows is typically running at admin 24/7 and partially because IE exploits bring quick fame and resume boost. Exploit development is like college professors, publish or perish.
the MS approach to patching used to be poor. the OOB bug is a good example. in the traffic it used a simple string like “microsoft sucks.” to patch the bug, MS simply filtered the string. so the crackers, simply modified their exploit to use a different string like “it still works.” finally MS patched it for a good with a rewrite of the vulnerable code.
I am a professional computer support technician, and I get everything from “can I extract my sql db into a clean db and have it remotley accessed by people using bluetooth phones ?” to “where is the any-key ?”
Users are generally dumb, that was not an insult, but most people use their computers to do work.
Darius hangs around here all the time, and he is a complete Windows fanboy. He will not hear a bad word being said about Microsoft/Windows/IE/Billy Gates without going on the defensive. However, I have noticed too that Darius uses Windows for what he need to do. His apps are what keeps him using it. I respect his choice for that, and I am not the sort of person who will make constant nagging remarks that he should change to Linux.
I have been called a Linux zealot here, and I suppose I could be seen as that… who cares ? I use what works well for me. I will pass on my experiences but mine will of course be different from yours, and from his, or from hers. Use what you feel comfortable with.
Back on subject….
You can change as many settings as you like to stop Windows from running EXE files, it means nothing. Almost all trojans or virus come as COM, BAT, SCR files, they will run no matter what settings Windows has set up.
Most people here moan about IE being so insecure, but they do forget that Outlook and Outlook Express are even less secure.
Outlook and Outlook Express were the reason that the Melissa virus was able to spread so easily. All the user needed to do was open the email account and the virus done the rest.
Since I started using Linux, I always had a dual boot with Windows, this changed a few weeks ago when I removed XP of the last machine that had it installed. I did this because I turned the machine on, it bluescreened and gave a message about X-steamer being corrupted. It would not reboot into safe mode etc. So I rebooted in Linux, moved me music and porno onto there and reformatted the Windows partition for Linux. Two days later I got an email from Microsoft security bulletin warning me of the “latest” exploit…. the one I had been hit with two days before
I have to use Windows at work, and while I was working the other week, I got an email. I did not open the email, but the next time I opened outlook, it immediately opened Media Player with NO file, then AVG antvirus popped up saying that I had some virus or other, nice, but not nice at the same time.
deletonm made a wierd statement about a virus looking around a Linux system for executables to corrupt and infect, this one baffled me slightly… how is a virus going to find executable files, they are not given an EXE extension or anything like that, they are given executable status by their permissions, so a virus would have to scan the permissions for every file it finds to find ones that will run as SU… this is a monumental task. In fact the executable status for files is one of the reasons people do not like Linux when they first try it, they do not know what runs and what does not.
BTW – on a Linux system, it is possible for a user to change his file properties so that ROOT cannot delete/read/alter/move them. This is now built into Konqueror and Nautilus, have a look and you will find it
This is expected from MS, the day they do a secure OS is the day h*ll freezes over. As far as IE I never used it accept for sites that need it & that is almost never. IE being tied to the OS is stupid to, now every IE exploit is a OS exploit. My mom read on the internet “only 7% of people have common sense”, well I do not think any work at MS.
“…with which way you go, no matter what. Firefox has a vulnerability, which allows arbitrary program execution.”
Yeah except that the Mozilla team posted a fix that actually works within 48 hours. MS has yet to do that.
You can either download a new build – that fixes it.
You can get an extension to fix it.
You can alter about:config to fix it.
See http://www.mozillazine.org for more info.
Darius hangs around here all the time, and he is a complete Windows fanboy. He will not hear a bad word being said about Microsoft/Windows/IE/Billy Gates without going on the defensive.
Believe me .. I’m not totally biased. I will say flat out that I think Windows is horribly insecure out of the box,IE is the spawn of Satan, and I trust Bill Gates and Steve Balmer about as far as I can throw them. Now, would a true Windows zealot make those claims?
Outlook and Outlook Express were the reason that the Melissa virus was able to spread so easily. All the user needed to do was open the email account and the virus done the rest.
Try this …
If you have to use Outlook or Express for whatever reason, make sure you’ve got the latest service packs for each one, and turn off HTML rendering. At this point, they become about as secure (or not) as any other Windows email client. Of course, I recommend using something like Thunderbird or The Bat, but using either Outlook or Express doesn’t automatically guarantee you trouble
If you got nailed with a Windows virus/worms, which one of my patented ‘six steps to security on Windows’ did you not follow?
1. Hit Windows Update at least once or twice a month, download any critical updates you find.
2. Download and run a software firewall – Sygate and Zonelabs offer free ones
3. Only use IE when absolutely necessary, including email HTML rendering
4. You don’t have to run anti-virus software native, but scan any new file that goes on your system, including email attachments
5. Do what I said with Outlook/Express in the last post if yer gonna use them
6. Before installing a new program that you downloaded, do a quick search on download.com (User Comments) and or Google for ‘appname spyware’ to see if the app conains adware/spyware before you install it.
raver31: Darius hangs around here all the time, and he is a complete Windows fanboy. He will not hear a bad word being said about Microsoft/Windows/IE/Billy Gates without going on the defensive.
As far as MS goes, honestly, I’m pretty much the same way these days. (I used to be totally anti-MS a few years ago.) The reason being that I have just watched way too many “experts” screw things up with their own computers and the computers they’re responsible for to hold MS accountable anymore.
raver31: You can change as many settings as you like to stop Windows from running EXE files, it means nothing. Almost all trojans or virus come as COM, BAT, SCR files, they will run no matter what settings Windows has set up.
Well… It also works for COM, BAT, and SCR files.
However, my point wasn’t that those specific settings would help much, if at all, my point was that the VAST majority of the tech people I know are almost completely unaware of the options Windows has and often pretend they don’t even exist.
Another example, is that alot of Windows techs I know aren’t even aware that you can run as anything other than Administrator.
Hell, I know more about the options on Windows than any of the professional Windows techs I know (I know one that doesn’t even know what a ZIP file is) and I don’t even bother to know about a lot of them. Because I see it as their job, not mine, I have enough things to study.
I really only worry about them at all, because it’s obvious to me that I need to either 1) Care for my own Windows machine or 2) Switch to another OS. Because the Windows techs I know sure aren’t any help. (BTW… I did both actually. I have 4 Windows machines which are, shockingly enough virus/spyware free. Plus a number of Macs, and I have Linux, BeOS, and FreeBSD setup. Along with some other misc stuff.)
Also, I handle all support and repairs for a number of people and yet I almost never get a phone call. Simply because I tried to set things up to be reasonably secure and easy to use to start with. (I also took away all the Administrator passwords from those computers) Also, I purposefully try to move them to software that I’m more familiar with (unless of course they really want to use some program, then I’ll try to figure that program out) so that I don’t have to go out and figure out all new “secure” settings for other programs. For example, I never used Outlook Express. I knew it was probably going to be bad news the same day I heard they had (or were going to? It’s been long enough I can’t remember) integrated scripting into the program.
raver31: deletonm made a wierd statement about a virus looking around a Linux system for executables to corrupt and infect, this one baffled me slightly… how is a virus going to find executable files, they are not given an EXE extension or anything like that, they are given executable status by their permissions, so a virus would have to scan the permissions for every file it finds to find ones that will run as SU…
I’ll grant I don’t know how difficult it would be to implement (or to implement something similar) but it doesn’t seem like it would be too hard to accomplish to me, since the virus would basicly have “all the time in the world” as long as it doesn’t call undue attention to itself and considering how little attention some people (even techs I know) pay to their machines, well, that would mean it wouldn’t be too hard to avoid them.
As far as your Windows and Outlook problems go. What can I say? Besides that I don’t have any. (Of course, I don’t have any Outlook problems because I don’t use it, however, I have heard it is possible to secure Outlook.)
raver31: Darius hangs around here all the time, and he is a complete Windows fanboy. He will not hear a bad word being said about Microsoft/Windows/IE/Billy Gates without going on the defensive.
Deletomn: As far as MS goes, honestly, I’m pretty much the same way these days. (I used to be totally anti-MS a few years ago.) The reason being that I have just watched way too many “experts” screw things up with their own computers and the computers they’re responsible for to hold MS accountable anymore.
I forgot to add that I’ve also seen too many comments on websites, forums and in books about how you can’t do this or that in DOS/Windows/MS Whatever, which I know to be false. And I’ve seen too many people locally (and on some of the other forums I go to) blame their own mistakes on MS/AMD/Intel/Anyone As Long As It’s Not Them. (Though MS seems to be their favorite at the moment.)
A timeline of the recent security exploit for Mozilla (shell:) – a Windows only problem shared by IE, was recently posted.
The site is a fully referenced blog of how quickly the Mozilla developers fixed this issue, something that Microsoft has yet to do for IE.
http://www.sacarny.com/blog/index.php?p=104
The site is a fully referenced blog of how quickly the Mozilla developers fixed this issue, something that Microsoft has yet to do for IE.
On the other hand, this fix involved change just 1 option in the configuration settings – not like you needed 5 months for that.
The main difference between IE/Windows lack of security and Linux security is this… Linux needs the user to do something extremely silly. Windows doesn’t.
That sounded very convincing in 2000, but not today.
Today we have a list of prominent Linux sites hacked. What silly stuff they had done?
Today we know about massive hack at Stanford U, among others. Tells you what happens when average user moves to Linux from Windows.
Today we have fun with evil.c on shared Linux servers in Universities and schools. O-ops,- we hear from kernel development team. O-ops, indeed.
Tomorrow, well, tomorrow is promising, too. To find out what CAN be done with Linux just take a look at the list of bugs fixed in Linux distros during the last 3 months, I’ll take Red Hat corporate desktop distro as an example: https://rhn.redhat.com/errata/rhel3ws-errata.html.
Look at them and ask yourself: if someone wanted to hack Linux using this or that bug, what would happen?
For example, I did not have to look very far to find this: https://rhn.redhat.com/errata/RHSA-2004-178.html
Here is what it says: An attacker could exploit the buffer overflows by creating a carefully crafted LHA archive in such a way that arbitrary code would be executed when the archive is tested or extracted by a victim.
What does it mean? A user receives email with archived attachment sgined by address from a trusted friend, that user just checks what’s inside attachment- bingo, infected!
Tell me, is it extremely silly to view contents of an archive in Linux?
*************************
That is just one example. The worst Windows worm used already known for weeks vulnerability for which patch was available.
Saying “but LHA exploit was not written for Linux, we are safe” is preaching security by obscurity.
So, take a look at 3-4 months of known Linux exploits, imagine their effect if 95% of all home computers run Linux.
Speaking about security, this new shell bug that makes Mozilla execute arbitrary code automatically, without user intervention, was in Mozilla for years.
The fact that it weren’t fixed before same bug was found in IE by the third party says that having open sources available means not that much: developers either can’t or won’t spend sufficient time to review sources even for extremely critical issues.
Developers are only humans.
“On the other hand, this fix involved change just 1 option in the configuration settings – not like you needed 5 months for that.”
Yeah…I pointed that out in an earlier post. I was only pointing out that unlike MS, the Mozilla team responds extremely quickly to security problems and implements fixes much more quickly.
It just seems very clear to me that Mozilla has a superior product and much more security minded group of developers.
“Look at them and ask yourself: if someone wanted to hack Linux using this or that bug, what would happen?”
Cracking is a different story. ANY system can be cracked with enough persistence. But that’s not the main problem of the home user…worms, bots and browser hijackers. Security through obscurity? It’s the only way to go. Look at the rapidly increasingly rate at which malware is appearing. Even with all the advancements promised by SP2, how long will it be before the worm writers break XP open like an eggshell? We’re at the point where if you’re a day late getting the lastest patch, you could have worm doing god knows what to your computer. If you aren’t downloading them as soon they’re released, you could easily be screwed. Let’s face it, if one is going to be even a half geek, he’s going to have to stay one step ahead of the masses. If the masses switch to Linux, he ought to be switching to something else. Without ragging on Microsoft, it’s just a damn shame that the enormous Windows divison puts all that time and effort into the OS, and all it takes is some fat 18 year old from Minnesota to get people’s computers kicking them off the Net and rebooting.
If you aren’t downloading them as soon they’re released, you could easily be screwed. Let’s face it, if one is going to be even a half geek, he’s going to have to stay one step ahead of the masses
On the other hand, that’s what firewalls are for.