- Related Stories
-
Bugs bite into popular browsers
April 25, 2006 -
Company warns on IE patch
April 14, 2006 -
'Critical' megapatch sews up 10 holes in IE
April 11, 2006
The new bug could be used to launch code execution attacks. Microsoft acknowledged that the vulnerability, found by Andreas Sandblad of Secunia, is not just a successful exploit of the flaw uncovered last week by Michal Zalewski.
It was originally believed that the flaw found by Sandblad was related to the one discovered by Zalewski, but a Microsoft representative confirmed that the two vulnerabilities are separate.
"During analysis, Secunia discovered a variant of this vulnerability," security company Secunia wrote on its Web site on Tuesday, referring to the bug found by Zalewski. The company confirmed the problem "on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2."
Both flaws could be used to corrupt a PC's memory if the computer's user can be tricked into visiting a malicious Web site, Secunia said.
Secunia added that Microsoft is working on a patch.
See more CNET content tagged:
vulnerability, flaw, Microsoft Internet Explorer, researcher, Microsoft Corp.
Of course, there are some circumstances that make using IE unavoidable. The only way most people can get security patches is via Microsoft Update, which requires IE to use. While this is tantamount to trying to vaccinate oneself against HIV using a smackhead's dirty syringe, there isn't much choice in the matter.
For all other uses, pleas use Mozilla, Firefox, Opera or one of the other, less toxic, alternatives to IE.
But after years of essentially 100% I.E use I have:
NEVER HAD A VIRUS
NEVER HAD MY IDENTITY STOLEN
NEVER HAD MY BANK INFO STOLEN
NEVER HAD MY BROWSER HIJACKED
NEVER HAD A ROOT-KIT (NOT EVEN SONY'S lol)
NEVER HAD ANY PROBLEMS
Now of course I do not do porn, p2p,don't STEAL software (which could have crap embedded as part of the crack!). I use A/V s/w and a firewall 24/7
and as a matter of FACT don't ever to seem to have a problem with ADWARE OR SPYWARE....
but yeah..... best to dump IE right away.... NOT!
Thanks for the laughs and the melodramtic post... maybe next year you'll win an OSCAR!
with the rest of us. Or is it that you don't actually use the internet
and/or e-mail?
with the rest of us. Or is it that you don't actually use the internet
and/or e-mail?
But hey, I am also sure that when you just keep browsing to respectable sites, you will not get much trouble, but I bet you don't dare to let kiddos use your PC.
It's like driving. If you always stay on the main roads, you will not get any mud on your car. But I like to get off the roads sometimes, and get muddy. Most of the times it brings you to the nicest places.
Microsoft's last chance to resurrect that nasty mess of a browser.
From the looks of it, they didn't pull it off. It's time to say goodbye
to Internet Explorer.
IE, regardless of its design flaws, is as secure (or insecure) as the other browsers around, judging from the number of vulnerabilities, their seriousness and the patch availability history. The only thing actually protetcting the users of other browsers is lack of market share (and yes, this is an often repeated argument, but based on hard data it seems to be true). If everyone ditched IE and moved to another browser, the history would be the same, with malware authors moving to the new dominant browser.
So if you are really happy with your current browser security, the best thing you can do is to shut up and enjoy in silent the benefits of using unpopular tech. Because if that product ever becomes popular, you will have to start looking for alternatives. That's unless someone manages to come out with a new browser that's way more secure, has extremely few vulnerabilities and it's still compatible with the vast majority of web sites. But that hasn't happened yet, and I don't see it happening anytime soon.
This happens to all companies that rush products. But, seeing as this is such a high profile product, wouldn't it make more sense to just rewrite the damned thing from the ground up with security foremost in the specs?
This would also be a great product to show the world how fabulous .Net is. Rewrite IE in .Net.
Use typesafe coding (no unmanaged code) and that should get rid of all of these buffer overflows - which seem to be never-ending.
IE from .Net. Unless .Net sucks too, this seems like win-win to me.
http://blogs.msdn.com/ie/archive/2005/09/19/47131
6.aspx
I think they are ahead for the year. And last year too.
Also, FF bugs are much more public, compared to MS. I bet if would be able to look at the bug reports of the MS test teams, that the counter would be very different.
And also... how many of these FF bugs have actually been exploited? How long till they are fixed? How much spyware is installed on my PC (none, and I don't mind going to funny sites). That is what counts for me.
You can keep claiming IE is no different than FF, but the facts do not support you.
At some point you just have to acknowledge that the stupid shall be punished and call it a day. There is no amount of legislation that can protect the terminally stupid from themselves.
:)
space between the user's ears. It can't be fixed. It can't be patched.
It has always been and will always be the most vulnerable point of
any system.
There will always be vulnerabilities as no code is perfect; and true, the Goliaths' (MS) will have a target on their back much faster than the Davids will (FF, Crapintosh...etc) and true the did put out a crappy product and integrated it throughout their OS. Nothing can be done about this now, it is what it is. So with that, I hope that you make better decisions.
Anyone commenting back and forthin in this forum is intelligent enough to SEPERATE! I have a design/music/video machine that does not touch the internet plain and simple. It has far too many critical things for me to chance screwing up. I also have a dune buggy machine that's meant to troll the depths of the Internet, afterall, if we don't get down to the dirtiest places, we'll never understand what is at our disposal!!!
How else would I cop free apps, vids and songs?!? How else would I be entertained for months upon end??
Now that being said, I have to Hardware & Software firewall my dunebuggy, because I don't want to fall out of it in the desert next to Osama and his boys, I want to keep trolling and spit some sand in their faces while blaring Hells Bells and throwin empty beer cans at em!!!
Be realistic about security, about the net, and about networking. If it's that valuable to you, don't open it to hell. If anything in the past few weeks has taught you anything, it's only going to get worse as more things arrise; ie. Mac Vulnerabilities!!!! Ha, welcome to the jungle white box sukkuz!!!!!!!!!!!!
Seriously folks, how many of you are the average computer user? I would bet most of you know how to take proper measures to ensure the security of your computer no matter what browser you use. It's the people like my boss who are constantly infected with junk from the net b/c they don't know what they are doing no matter how much I preach at them.
Seriously, you are just lucky. Nothing is fool proof and most likely you would not know if a professional got you. I am sure you might avoid the "I Love You" virus, but if you get hit by a real hacker you will not know until money vanishes from your account.
Can it be done? Sure
Is the time it takes for me to hack into your system only to find out you have no money or have nothing interesting for me.... NOPE
Your AVERAGE internet user IS NOT going to be the victim of a RANDOM hack attack. Now maybe if they pissed of a dude at school.... or maybe if they slept with (and got caught) some other guy's girlfriend...
but it is just FUD to try to scare people into thinking that Harry Hacker is gonna take the time and effort to get into my Grandma's eMachine used strictly for email, photos of the little ones and news sites. And UNLESS you know who your target is this is EXACTLY what you may get rewarded with for all your work.... a system that has nothing of interest for you.
When there are SO MANY EASIER ways of recruiting a zombie, stealing money etc the RANDOM HACK through firewalls and security measures is not much of a risk at all.
<
Microsoft TechNet-Secrurity Center:
Security tools for IT Pros: Visit the new Security Learning Paths site to help plan, prevent, detect, and respond to various IT security issues.
Learn more>>
Click Here!
* Microsoft TechNet - Security Center Find security tools here
* Antivirus Protection: Download a free trial of Antigen for Exchange Download now
* Steve Ballmer Details Microsoft's Security Strategy Read More
* Microsoft TechNet--Learning Paths for Security Learn More
* White paper: Microsoft helps customers mitigate security risks Download now
<
What a Joke! Microsoft security Ad next to an IE flaw article. These morons, can't they figure a better way place their ads?
That said, anyone who uses IE deserves what he gets, VIRUSES & SPYWARE. As many previous posters have pointed out the problem lies with windows. I say this from my own experience.
It is two years since I switched to Mac platform (OS X was the reason, I hated Mac OS 9). Since then, I never had to run a virus scanner, disk-defrag, or reinstall anything. And my computer works with the same speed and responsiveness I saw the day I bought it (I use Powerbook with stupid G4 processor). During the same period I saw my coworkers had to reformat their hard-drives, reinstall Windows..apps and even loose data because they were not careful to backup.
I hate to sound like a Mac Zealot, but my advice..just switch to anything that's *NIX. BSD, Linux, MacOS X. Doen't matter...anything else is better than Windows which is a plague that's consuming countless hours of man hours and billions of dollors worldwide. And, we are not even talking about the hardship people have to go through.
qtd: These morons, can't they figure a better way place their ads?
I am sure that MS as well as any other company that advertises on the web IS NOT PLACING their own ads here or anywhere else.
In fact I would bet you that they are just served up here by C/Nets server and ad software/partner with no analysis of where they are being placed. This happens in the TV world too...
so in my best Napolean Dynamite voice....
IDIOT!
lol
needs to see you ASAP! :)
pmsl
Lots of interesting points have been made so far. I.E. is O.L.D. and a complete rewrite is in order. I.E. has flaws and Microshaft patches them. Then Microsoft patches the patches. Then discovers new vulns while patching the patches.
Dunno about you, but if I came accross a brick wall that was riddles with band-aids, I wouldn't stand too close to it (this is a valid comparison to the code in I.E.) for fear of it crumbling apart.
Yes, other browsers have vulnerabilities, but Microshaft waits SO long to issue theirs. Haven't you noticed that? Even their Patch Tuesdays - if there's a patch available now, ISSUE IT NOW! I'm embarrassed to tell my boss about the latest vuln, then have to say, "sorry, there's nothing I can do - gotta wait for Microsoft to save us from themselves". I really have to give the Open Source teams such as Mozilla credit for showing us that a patch doesn't need to take months/years to be issued. Why this rabid clinging to I.E., in the face of all the onslaught of problems, created by Microsoft, is beyond me. It just doesn't make sense. Someone explain why they stick to I.E. when they KNOW it has these vulns. Explain it not as if you're trying to convince me to use I.E., explain it... nevermind. I already know. It's familiar, easy, and you're too lazy and set in your ways to change. Even if it saves you (as an example) from losing all those precious baby picures.
I used to love Microsoft - I read Bill's book, he was my idol. But after having to deal with all this garbage over the years, it's taken its toll and it's no fun anymore. I just want stuff to work, is that so wrong? Opera works. Firefox works. OpenOffice.org works. I'll soon find out how well a distro of Linux works.
Rewriting code is stupid. By rewriting code you only add new bugs. The smart move is to thread model the architecture to understand where the weak points are and target your rewrites for the maximum benefit. This is what is being done with IE7.
There's a very specific reason why patches are released at a consistent time. Scheduled downtime.
Releasing patches is very dangerous. Usually, the exploits that a patch addresses are not public. By releasing patches at a consistent time, it ensures that most people (and corporations in particular) know when they're coming and will update their systems fairly quickly after the patch is released.
Releasing a patch is an advertisement of what the vulnerability is. There are rediculously advanced techniques for doing binary diff analysis which hackers can use to find out exactly what the fix is and how to hit the exploit in unpatched systems in less than a day. Keep average patch time to a minimum is critical to containing that sort of threat.
Beyond that, IE6 is indeed a bit behind the times in terms of security, but not that far. Microsoft is one of a very small companies in the world whose products are consistently getting more secure. Windows at this point is MORE secure than Mac OSX and *at least* as secure as almost every flavor of *NIX. You can say what you want about its reliability and the average computer savvy of its users, but WinXP SP2 and Win2k3 SP1 are both more secure than Mac OSX if you read up on the recent pen tests.
But obviously, you're more interested in believing unsubstantiated attacks on one of the few companies who actually does care about security than you are about actually researching what the security landscape of today is like. If you want to believe that MacOSX and FireFox are so much more secure than Microsoft and that you don't have to use due diligence to stay safe with them, then my blessing goes out to the east asian mob who owns your box.
Beyond that, it's a quick way to drop programs onto a host machine for use in things like DDOS attacks or just for monitering.
Is it potentially overstated? Probably. But it still a very real threat? Absolutely.
- Microsoft Should Just Give Up on Internet Explorer
- by wbenton May 4, 2006 7:34 AM PDT
- The following article explains it quite well... no need for me to add anything more.
- Like this Reply to this comment
-
-
- oh yeah!
- by Sboston May 4, 2006 11:09 AM PDT
- Dvorak?
- Like this
-
- IE 7 does not support an addressed supported subfolder.
- by Pop4 May 5, 2006 6:17 AM PDT
- Also know as; a 'Trash Can'. Sound familiar?
- Like this
-
(55 Comments)http://www.foxnews.com/story/0,2933,193058,00.html
Walt
That guy has bounced around to so many different places that it isn't funny.
But sometimes his articles are. :)