- home
- reviews
- news
- downloads
- cnet tv
On The Insider: Tila Tequila Announces Engagement
- log in
- join CNET
- welcome,
- my profile
- log out

Comments on: Drag-and-drop flaw mars Microsoft's latest update

Independent researcher finds an Internet Explorer vulnerability that could turn drag-and-drop into drag-and-infect.

Add a Comment (Log in or register) (7 Comments)

Surprised!
by wrwjpn August 20, 2004 3:36 PM PDT: After waiting a year for this update there still are critical flaws
and then MS reply is:
"Given the significant amount of user action required to execute
an attack, Microsoft does not consider this to be a high risk for
customers," a company representative said"
Doesn't MS get it, average Joe user will click on an image or will
think of it as an Internet game and will be fooled by it. What MS
needs to do is unbundle IE from the system. Then most of the
problems will disappear.

But then there is this problem:
"Ironically, this time around, most people have not had a chance
to update their computers with the security patch. The update
became available only on Wednesday and will require almost a
month to reach every Windows XP user who wants the software,
Microsoft said."

Then the person who found the flaws goes on to say:
"The patch really does lock down the machine nicely, and
whatever anyone finds now will be completely different to the
previous year's findings,"

Which means that the next big virus, trojan, etc, will be even
harder for the average user to be wary of. And most likey most
users will want to turn off the firewall in XP SP2 because they will
be bothered by all the warnings and won't be able to play most
of the online games.

I think I will wait until XP SP3 as it seems Longhorn will never
come. Actually I will just turn my laptop into a Linux machine
and use that.; Like this Reply to this comment

Bogus
by Not Bugged August 20, 2004 4:17 PM PDT: Secunia had access to the Release Candidates and probably know about this for months. They may even have been involved in the beta in which case thery may have known about it even longer. Instead of warning MS about the flaw, they chose to wait till SP2 was released and then trumpet their discovery.; Like this Reply to this comment

What is Microsoft thinking?
by Tex Murphy PI August 20, 2004 4:20 PM PDT: Belittling the problem as "unlikely" is stupid. Evidently, they forgot about the recent spate of HACKED web-sites that had their contents altered to take advantage of a previous vulnerability.

Hello, Microsoft? It isn't hard to hack a lot of insecure sites, and alter them to take advantage of this new bug! It was done before, and beleive it or not, it can be done AGAIN!

... but don't worry, Microsoft says it's highly unlikely that history will repeat itself again.

... and the patch for this low priority flaw will certainly be out soon. Hell, it took them a quick-turn-around of ONE MONTH to come out with the last patch that addressed a Day-Zero vulnerability -- and that was rated CRITICAL!

Now, where is that link to Firefox?; Like this Reply to this comment

Thanks the gods...
by olePigeon August 20, 2004 4:28 PM PDT: I just purchased a brand new Apple PoweBook. No more
Microsoft for me. :); Like this Reply to this comment

easily prevented

by Jan Modaal August 20, 2004 5:15 PM PDT

Tools/Internet Options/Security/Internet/Custom Level and set "Drag and drop or copy and paste files" to "disable" or at the least "prompt".

If people spent even half the time they use to bash IE to figure out what all the different settings do the web would be a much safer place for everyone.

While I agree that it shouldn't even be set to "enable" by default, the story was obviously blown out of proportion - as so many about Windows and IE lately - by not mentioning this very simple workaround and saying the only option is to disable scripting or to switch browsers.

Like this Reply to this comment

Your absolutely right...
by Gayle Edwards August 22, 2004 1:42 PM PDT: .
Your Absolutely Right...
.
If, (within minutes of using a new computer) the average consumer can't make dozens of UI-tweaks, install tens-of-megabytes of updates, and distrust EVERYTHING they see on their OWN computer-screens. They're DUMB, and should be held ENTIRELY responsible for the SERIOUS DESIGN FLAWS, built-into, the Microsoft products which they purchased (even if their purchase was usually due more to an "...illegally created monopoly" than to any real market-choice).

As someone who has worked in the 'IT' field for over two-decades, ...providing support and training to all levels of 'computer-users' and 'IS personnel', I personally completely agree with this philosophy. And I believe Bill Gates also 'officially' concurs (though he actually referred to the victims of such "IE security-flaws" as, "...stupid").
.; Like this

Microsoft Bashing
by Andrew J Glina August 20, 2004 6:46 PM PDT: This is absurd. While I don't actually use IE much (Firefox has tabs. Ahhhh.) this is not a flaw. Microsoft cannot protect against stupidity. If people choose to do actions that are not safe then it is their fault. Knives cut people, but you don't see warnings on them. Why? Because if you cut yourself it is because you made a mistake. However if the knife could go on rampages then it would be different. All Microsoft needs to protect against is Worms, and the firewall does that. It is time that people take responsibilty for their own mistakes.

Andrew J Glina
Sinner Computing; Like this Reply to this comment