| ActiveMac | Anonymous | Create a User | Reviews | News | Forums | Advertise |
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
ActiveMac |
|
Articles |
|
Forums |
|
Links |
|
News |
|
News Search |
|
Reviews |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
DVD |
|
ActiveHardware |
|
Xbox |
|
MaINTosh |
|
News Search |
|
|
|
|
|
|
|
ANet Chats |
|
The Lobby |
|
Special Events Room |
|
Developer's Lounge |
|
XBox Chat |
|
|
|
|
|
|
|
FAQ's |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows "Whistler" XP |
|
Windows CE |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
TopTechTips |
|
Registry Tips |
|
Windows 95/98 |
|
Windows 2000 |
|
Internet Explorer 4 |
|
Internet Explorer 5 |
|
Windows NT Tips |
|
Program Tips |
|
Easter Eggs |
|
Hardware |
|
DVD |
|
|
|
|
|
|
|
Latest Reviews |
|
Applications |
|
Microsoft Windows XP Professional |
|
Norton SystemWorks 2002 |
|
|
|
Hardware |
|
Intel Personal Audio Player 3000 |
|
Microsoft Wireless IntelliMouse Explorer |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Affiliates |
|
ANet Forums |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
|
Links |
|
Member Pages |
|
Site Search |
|
Awards |
|
|
|
|
|
|
|
Credits |
 |
Microsoft Rocked by New IE Zero-Day Flaw Warning | |
|
||
| Time: 00:53 EST/05:53 GMT | News Source: eWeek | Posted By: Kenneth van Surksum | ||
|
Barely two weeks after shipping an Internet Explorer security makeover to cover a wave of drive-by malware downloads, Microsoft is scrambling to address the public disclosure of a new zero-day vulnerability that could be used in code execution attacks. The Redmond, Wash. software maker confirmed it was investigating a warning posted on the Full-disclosure mailing list that the latest versions of IE causes various types of crashes when visiting Web pages with nested OBJECT tags. | ||
|
Write Comment
Return to News |
Displaying 1 through 25 of 315 Last | Next |
The time now is
2:49:03 PM
ET.
Any comment problems? E-mail us |
| #1 By 32132 (64.180.219.241) at 4/27/2006 1:54:09 AM |
| Duplicate crap from eWeek. |
| #2 By 8556 (12.217.111.92) at 4/27/2006 8:39:11 AM |
|
Parker: The news source says eweek. Maybe its crap and we've seen it before.
Here's a different angle: I'm a bit concerned that issues like the one described in eweeks article (rerun or not) occur while Microsoft is pushing out its "Genuine Advantage" Critical update. Its not a critical update to us. Security issues are far more important and should be the only critical updates sent to us. |
| #3 By 15406 (216.191.227.68) at 4/27/2006 8:51:57 AM |
|
#1: Yes, damn those eWeek guys for continuing to shine light on IE's never-ending megaholes.
#2: anything that increases MS' revenue by $1 or more is considered a critical update. |
| #4 By 7754 (216.160.8.41) at 4/27/2006 9:17:10 AM |
|
anything that increases MS' revenue by $1 or more is considered a critical update.
If that's the case, they could make a lot of those $1s by signing everyone up for the "Destroy IE" campaign. What's silly about this, though, is the headline: is Microsoft really "rocked" by this? I don't think so. It's a flaw, yes, but this rates pretty low. |
| #5 By 15406 (216.191.227.68) at 4/27/2006 9:49:23 AM |
|
#4: I thought the title was silly too. Considering how many security hairballs IE has coughed up over the past few years, you would think MS would be used to it by now. Will MS also be 'rocked' by next week's hole?
|
| #6 By 32132 (64.180.219.241) at 4/27/2006 11:04:23 AM |
|
#2 The exact same article was posted on ActiveWin 8 - 10 articles ago.
And its crap because: eWeek and ActiveWin do not post articles critical of Firefox even when their are 21 security holes in Firefox ... but they will post stupid "Microsoft Rocked ..." articles twice. |
| #7 By 32132 (64.180.219.241) at 4/27/2006 11:07:34 AM |
|
The argument that Firefox fixes its flaws quicker is kind of moot since they are still keeping most of them secret on bugzilla.
Go ahead and look some of them up and you'll find: Exploit code and details embargoed during the active update period However! ZDI does have more info on some: 2 months: http://www.zerodayinitiative.com/advisories/ZDI-06-011.html 2.5 months: http://www.zerodayinitiative.com/advisories/ZDI-06-010.html 5 months: http://www.zerodayinitiative.com/advisories/ZDI-06-009.html What I find fascinating is this statement on the last one: "TippingPoint IPS customers have been protected against this vulnerability since December 13, 2005 by Digital Vaccine protection filter ID 3977. For further product information on the TippingPoint IPS: " So hackers who subscribe to this "service" had 5 months to exploit it in the wild before Firefox fixed it? Scary! |
| #8 By 15406 (216.191.227.68) at 4/27/2006 12:11:28 PM |
|
#7: Here we go again with Parkkker's patented Distractaroony routine. Every time some article exposes IE/Windows for the crap they are, Parkker swoops in to the rescue with some diversionary rubbish and cherry-picked "facts". btw, those 3 alerts you linked to have already been fixed. You're awesome, Parkkker!
|
| #9 By 3746 (216.16.225.210) at 4/27/2006 12:30:55 PM |
| I am no MS or Linux zealot but i do get what notparker is saying. Why post the same article twice about something that may or may not be that bad (it has not been proven)? And why no articles posted about Firefox vulnerabilities? I mean with so many using it on windows now it would be a good serivce to let them know about the number of vulnerabilities. I use what I think it is best but you are doing a disservice to the site to only post about vulneabilities in IE if Firefox has been gaining market share. It would be good to let people knowthat they should be patching their systems regardless of whether it is IE or firefox. |
| #10 By 45754 (83.85.190.93) at 4/27/2006 1:41:55 PM |
|
Hi All,
The duplicate post wasn't on purpose, so there no real meaning behind it. It's just a mistake. But i agree with the fact that IE vulnerabilities are given more attention than firefox vulnerabilities. So i will try to post these vulnerabilities as well if they drop by. Everybody has got to learn, so do i. Lesson learned. Regards, Kenneth van Surksum This post was edited by Kenneth on Thursday, April 27, 2006 at 13:42. |
| #11 By 7754 (216.160.8.41) at 4/27/2006 1:53:19 PM |
|
I don't think it's really the purpose of this site to report on Firefox's vulnerabilities, while it would be to report on IE's (especially considering the site's history). What bothers me is that these sites (I mean eWeek and the like) jump on a relatively insignificant bug as if the company all went home listless and in tears. It's trolling for hits, wooing advertising $$$ at the expense of evil Microsoft--it's all about money, and if they report any real news incidentally, bonus (they really need a new word specifically for this, so that people can call them on it with a collectively understood meaning of what's going on). Who's to blame? Us. We all fell for it. This post was edited by bluvg on Thursday, April 27, 2006 at 13:54. |
| #12 By 32132 (64.180.219.241) at 4/27/2006 2:08:05 PM |
|
"especially considering the site's history"
Right! Apple stories: check. Ipod Stories: check. Firefox market share rises: check. Microsoft is EVIL!: check. Firefox security issues: Oh no. We can't have that! |
| #13 By 7754 (216.160.8.41) at 4/27/2006 3:06:27 PM |
| #12--true... although usually most have had some Microsoft relevance. Personally, I think that if the article covers both Firefox and IE security issues, then it would make total sense to list it here. But all of those that you listed, if they contain nothing related to Windows, I think they don't belong. That's what ActiveMac, ActiveFirefox (should such a thing exist), etc. are for. |
| #14 By 3746 (71.19.43.237) at 4/27/2006 6:09:16 PM |
|
#13
Well Firefox runs on windows and is used by windows users (a growing precentage) as their main browser. Doesn't that make it relevant to a windows news site? |
| #15 By 20505 (216.102.144.11) at 4/27/2006 8:09:20 PM |
|
I’ll restate the question I posted in my previous post. Isn’t the import of flaws in IE more significant because the browser is more closely tied to the underlying OS? If not, what was the point of MS arguing in the anti-trust litigation about how closely the OS and the browser are intertwined?
It either is or it isn’t. I’m not a programmer but it would seem to me that if a program runs as part of the kernel of the OS that it would be much more likely to compromise a computer than if it was an add on program that the OS could block from performing certain tasks. P.S. – NotParker this is not a slam.... it’s a question. |
| #16 By 15406 (24.43.125.29) at 4/27/2006 9:46:18 PM |
|
http://www.pcmag.com/article2/0,1895,1952995,00.asp
|
| #17 By 23275 (68.17.42.38) at 4/28/2006 12:35:46 AM |
|
Oldog, MS was right, and still is - IE resides at a level that is fundamental to the OS. It however, did not, nor does it now, present a greater risk to either IE, or any Windows Executive over other browsers. The architecture actually presents a much more secure environment than any other available in the open markets. There really is so much to this,
that this forum really isn't suited to a good exchange regarding such matters. Below, I have listed the three basic layers which make up Windows - setting aside user mode processes as in this context, they are irrelevant to the thread. The reality opposite Windows is that it is the hardest to root where it matters most - that does not mean that IE is not intrinsic to the OS's design - it most certainly is and it is only one face on a much larger architecture - a great many Microsoft products and components run in exactly the same way as IE. Is IE less secure - heavens no - far from it. It is just examined so much more closely. The below texts illustrate some basics and are widely distributed descriptions at many places on the net. If you're interested, I'd research all of it and as many have concluded, I assess you'll come to regard Windows as not only more secure, but astonishingly so. So is IE. "no wonks about ActiveX, from anyone, please... as one form of RMI, it is by far the best, but just as dated and dead as any other in light of ATLAS/AJAX and XML - do check out ATLAS - you'll see that the browser will become a platform from which we will all launch a lot of very powerful experiences. The Hardware Abstraction Layer virtualizes hardware interfaces, making the hardware dependencies transparent to the rest of the operating system. This allows Windows to be portable from one hardware platform to another. The Kernel is at the core of this layered architecture and manages the most basic operations of Windows. This component is designed to be small and efficient. The Kernel is responsible for thread dispatching, multiprocessor synchronization and hardware exception handling. The Executive is a collection of kernel-mode modules that provide basic operating system services to the environment subsystems. It includes several components; each manages a particular set of system services. One component, the Security Reference Monitor, works together with the protected subsystems to provide a pervasive security model for the system. Environment subsystems are user-mode protected servers that run and support applications native to different operating systems environments. Examples of these subsystems are the Win32® subsystem and the OS/2 subsystem. |
| #18 By 32132 (64.180.219.241) at 4/28/2006 1:45:07 AM |
|
#15 "Isn’t the import of flaws in IE more significant because the browser is more closely tied to the underlying OS?"
No. A compromised Firefox or Safari is just as dangerous. Many of the recent Firefox vulnerabilities allow the compromise of Linux machines just as easy as Windows machines can be compromised. "If not, what was the point of MS arguing in the anti-trust litigation about how closely the OS and the browser are intertwined?" A browser engine, available to all applications running in that OS, made it easier for developers to write applications because they knew an HTML engine was available to them. I myself have integrated the use of ftp and http into applications I wrote because of the availablity of the wininet.dll available on every copy of Windows. It saved me and millions of others lots of time and money. And therefore made Windows a better platform for developers. #16 http://www.microsoft.com/presspass/press/2006/apr06/04-27fy06q3earnings.mspx Some blunder. |
| #19 By 8589 (68.113.198.230) at 4/28/2006 4:45:00 AM |
| eweek is a linux site, everyone knows that. Linux is so buggy they have to release 100's of megabytes of fixes within months of an official distro release. |
| #20 By 17996 (66.235.19.95) at 4/29/2006 6:43:32 PM |
|
#17/#18 are right. When a user runs IE, it runs just as any other executable. Except in Vista, where it will run with extremely limited rights ("protected mode"). This will instantly put it ahead of all other browsers in terms of security--any browser hole will be unable to affect the system OR even the user's profile. I would encourage other browser makers to use Vista's "integrity level" security technology to achieve the same end.
Interestingly, as some people have pointed out on various forums, the "integration" between IE and the Windows Shell has been dissolved with IE7 and Windows Vista. You can no longer view shell folders in IE, or web pages in Windows Explorer. I suppose one of the primary motivations behind this was the aforementioned "protected mode" -- if you were to view shell folders in a protected IE, it would prevent you from doing anything. During the antitrust trial, MS testified that much functionality between IE and the Windows Shell was provided by the same code in shared libraries (specifically, SHDOCVW.DLL and BROWSEUI.DLL). Specifically, code to draw the browser frame/chrome, and implement navigation, was the same code. Well, with IE7, that has changed. IE7 no longer uses SHDOCVW and BROWSEUI; they now use IEFRAME (essentially a "private copy" of the shared DLLs). Going forward, Windows Explorer will continue to use SHDOCVW/BROWSEUI while IE7 uses IEFRAME. After making this change (a huge architectual change which probably took a lot of time and planning), they could in theory quite easily remove IE from the OS (in a similar way to WMP being removed for XP N). Yes, it would break many third-party programs, but it would not break the Explorer shell. |
|
Write Comment
Return to News |
Displaying 1 through 25 of 315 Last | Next |
The time now is
2:49:03 PM
ET.
Any comment problems? E-mail us |
