| ActiveMac | Anonymous | Create a User | Reviews | News | Forums | Advertise |
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
ActiveMac |
|
Articles |
|
Forums |
|
Links |
|
News |
|
News Search |
|
Reviews |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
DVD |
|
ActiveHardware |
|
Xbox |
|
MaINTosh |
|
News Search |
|
|
|
|
|
|
|
ANet Chats |
|
The Lobby |
|
Special Events Room |
|
Developer's Lounge |
|
XBox Chat |
|
|
|
|
|
|
|
FAQ's |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows "Whistler" XP |
|
Windows CE |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
TopTechTips |
|
Registry Tips |
|
Windows 95/98 |
|
Windows 2000 |
|
Internet Explorer 4 |
|
Internet Explorer 5 |
|
Windows NT Tips |
|
Program Tips |
|
Easter Eggs |
|
Hardware |
|
DVD |
|
|
|
|
|
|
|
Latest Reviews |
|
Applications |
|
Microsoft Windows XP Professional |
|
Norton SystemWorks 2002 |
|
|
|
Hardware |
|
Intel Personal Audio Player 3000 |
|
Microsoft Wireless IntelliMouse Explorer |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Affiliates |
|
ANet Forums |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
|
Links |
|
Member Pages |
|
Site Search |
|
Awards |
|
|
|
|
|
|
|
Credits |
 |
Microsoft preps emergency IE patch for Wednesday release | |
|
||
| Time: 00:10 EST/05:10 GMT | News Source: ComputerWorld | Posted By: Kenneth van Surksum | ||
|
Microsoft Corp. announced today that it will issue an emergency patch tomorrow to quash a critical Internet Explorer bug that attackers have been exploiting for more than a week.
| ||
|
Write Comment
Return to News |
Displaying 1 through 25 of 215 Last | Next |
The time now is
12:04:42 PM
ET.
Any comment problems? E-mail us |
| #1 By 15406 (216.191.227.68) at 12/17/2008 2:41:29 PM |
| Strange. Where's the microbot brigade to remind me how Vista with IE7 will never be hacked? That was their mantra a year or so ago. |
| #2 By 3746 (72.12.161.38) at 12/17/2008 3:50:58 PM |
| From what I have read if you have Vista with UAC turned on this exploit will not work because it needs elevated privileges. |
| #3 By 28801 (71.58.225.185) at 12/17/2008 4:55:17 PM |
| #2: Isn't it strange how the articles always leave that out. Latch always brags that he runs FF with noscript. That just demonstrates that FF is insecure and needs an addon to help plug the holes. what about all of the people who don't know to install noscript? I guess they are just virus food. |
| #4 By 82766 (211.26.160.18) at 12/17/2008 9:41:01 PM |
|
One of the funnier calls I heard in the last 24hrs is... "everyone switch to FF or Chrome" but of course, NO software is problem free
Yesterday Mozilla announced a raft of security fixes for FF2 and FF3... three of the security holes allowed much the same 'security bypassing' issue like this hole for IE did. Thats just funny in my books! woe IE... but FF has just as bad security holes in it. |
| #5 By 9589 (68.17.52.2) at 12/17/2008 10:17:42 PM |
|
Don't get me wrong, it is great that Micrososft pushed out this out-of-band security patch, but updating 100k+ workstations and 10k+ servers twice in a month for two months in a row is putting a strain on our patience. This is especially true this month with our IT on "break" for the holidays.
|
| #6 By 23275 (71.91.9.16) at 12/17/2008 11:54:53 PM |
|
#2, Quite correct, and that is IF it can get past the UIPI broker and out of PM in the first place and even IF it did that and a user did accept the UAC prompt, the default ASLR+NX/DEP would crash the exploit before it reached WFP - Windows Filtering Platform, which would prevent systems files from being written to and a final File System Filter check would isolate those even further.
As opposed to FF - the documented leader of most unsecure Windows apps... and just to be clear that attackers have no favorites and no loyalties - as #4 rightfully points out.... FF, right on IE's heels, announced nearly identical exploits on ALL OS platforms as follows: Mozilla Foundation Security Advisory 2008-60 http://www.mozilla.org/security/announce/2008/mfsa2008-60.html Mozilla Foundation Security Advisory 2008-69 http://www.mozilla.org/security/announce/2008/mfsa2008-69.html Mozilla Foundation Security Advisory 2008-68 http://www.mozilla.org/security/announce/2008/mfsa2008-68.html I recommend: Windows Vista x64, IE 7/8 with its default Protected Mode left on. UAC left on and when such exploits emerge ahead of patches, run the x64 version of IE. I would and do, stay clear of Firefox - it is not as secure as IE 7/8 on Vista. |
| #7 By 15406 (216.191.227.68) at 12/18/2008 9:04:24 AM |
|
#2: I would think that the average user would either have turned UAC off by now, or they just blindly click OK to any prompts. In the end, UAC is no protection at all. You can't save the user from himself.
#3: Of course FF is insecure. I've never said otherwise. I have said repeatedly that it's better than IE, and even better still with NoScript. It's all a matter of degree. FF doesn't do the ActiveX boogie. FF doesn't do silent driveby downloads. Those two by itself make FF more secure than IE. I use NoScript because it gives me a better browsing experience, but it also has the added bonus of stopping script-based exploits in their tracks. #4: Thats just funny in my books! woe IE... but FF has just as bad security holes in it. There's a big difference between theoretical hacks that could own your system versus active hacks owning systems as we speak. Of course all software have problems, but MS seems especially competent at having their bugs bite their users worse. #5: updating 100k+ workstations and 10k+ servers twice in a month for two months in a row is putting a strain on our patience. And you'll do absolutely nothing at all about it other than complain and continue to pay MS. #6: As opposed to FF - the documented leader of most unsecure Windows apps... Where is this document? and just to be clear that attackers have no favorites and no loyalties I thought the microbot mantra was that Windows/IE gets hacked much more often exclusively due to its popularity? I always believed it was a combination of popularity mixed with a plethora of never-ending bugs. Your recommended configuration is also the least compatible collection of MS bits ever made. Vista64 with ASLR+DEP is fine for a server but not for a desktop. I would and do, stay clear of Firefox - it is not as secure as IE 7/8 on Vista. Oh stop! You're killing me! Hahahahahahaha. You are SUCH a partisan. I love it. |
| #8 By 23275 (71.91.9.16) at 12/18/2008 9:20:36 AM |
|
#7, daffy, uniformed and simply silly...
Look, Latch, get out more... Vista x64 is becoming the norm and ASLR+DEP is the default! DEFAULT, get it and users are not even aware of it and they have zip to do. Similarly, WoW - Windows on Windows allows for for seamless execution of 32 bit apps. fine for server.... how uniformed can you be.....??????? AGAIN - ASLR+DEP and hardware NX (zero execute) are the defaults and they always have been. And no... most people do not turn off UAC. UAC works and it works well. Firefox is the documented least secure app on Windows - http://www.bit9.com/files/Vulnerable_Apps_DEC_08.pdf This post was edited by lketchum on Thursday, December 18, 2008 at 09:22. |
| #9 By 15406 (216.191.227.68) at 12/18/2008 10:20:49 AM |
|
#8: You keep reiterating how uninformed I supposedly am, and then you backstop that with absolutely nothing other than your own opinion.
As for your indictment of Firefox based on Bit9 (who?), I noticed that MS is almost entirely missing form the list. I dug a little bit and found this: "Last year when we released this list, a lot of people commented on how we left off so much Microsoft software - some even going so far as to say that Microsoft sponsored this research! So let me be clear - this is entirely produced and financed by Bit9. The reason most Microsoft software doesn't make the list is because by now most companies have a pretty good process in place for identifying, patching, and fixing vulnerable Microsoft software. The same can not be said for apps like Firefox, iTunes, and other packages." So they don't even bother listing all the flawed MS software because it's so buggy that everyone already knows it and has processes in place to patch it regularly. Hardly the "documented leader of most unsecure Windows apps" as you claim. Nice try, though. |
| #10 By 23275 (71.91.9.16) at 12/18/2008 11:08:07 AM |
|
#9 clueless is a better word.
It is a well established fact that: Vista x64 is shipping on more and more computers than ever Vista x64 features Windows on Windows and most users have no clue they are running x64 Vista x64 features both ASLR+DEP which are on by default and only one part of the Windows Integrity Mechanism Protected Mode, using secure-able objects is the default mode in IE 7 on Vista The UIPI Brokering Agent prevents privilege escalation from protected mode into user space Admin and Guest Accounts on Vista are diabled by default and ALL USERS run as standard users despite UAC handling. All computers built since Vista's release feature NX, or zero execute hardware support, which works with and augments ASLR+DEP All of the above are available for all developers. These are facts. Vista/IE 7/8 security features are not my opinion - they are documented features as part of a solid security model that is seeing great success and sustaining solid progress. The linked study lists the MOST UNSECURE software running for Windows computers. Sharing my assessment that firefox is not secure and not a security panacea in any way are many others - among them, "Firefox tops list of 12 most vulnerable apps" http://blogs.zdnet.com/security/?p=2304 It is entirely true that Microsoft has the best and easiest to manage security update mechanism and update systems available. Firefox does not come close to that capability. |
| #11 By 3746 (72.12.161.38) at 12/18/2008 12:02:56 PM |
|
Latch - What are you talking about most people turn UAC off? Most uniformed users maybe. The reality is the average user has no idea what UAC is or how to turn it off. Almost every single Vista system that I have worked on has UAC on. But if it was turned off that doesn't mean that Vista is inherently unsecured. Vista has layers of security in place to protect the system regardless if it turns out a program has a security issue. It is not the fault of MS that people turn off or bypass features meant to make their systems more secure.
I don't think anyone but the most ardent MS supporter would argue that an MS product or system could never be hacked. But Vista goes a long way in addressing these issues. It is not that fault of the system that user chooses to not use them or turn them off. |
| #12 By 1896 (68.153.171.248) at 12/18/2008 12:29:09 PM |
|
#10: Vista 64 is not mainstream, a very small percentage of Vista systems run a 64 OS; I personally doubt that even Windows 7, 64 bit, will be prevalent over the 32 bit version.
Hopefully if MS will ship Windows 8, or whatever it will be called, 64 bit only this will force all vendors to ship 64 bit drivers as good and functional as current 32 ones and people willuse a 64 bit OS without knowing, caring if the OS is 32 or 64; less than ever understanding what the differences between the two are . Btw I use Vista 64 and IE 7; so far I do not like IE 8, too slow and I doubt it will significantly improve before RTM. I tried FF but, simply put, it did not click for me; if it had I would be using it. This is software not ana article of Faith. #11: it is true that average user has no idea about how to turn UAC off; on the other hand what the same average user does is to click yes on every warning, Do not get me wrong, this is not a behaviour created by UAC; after a while warning generated by UAC, AV and Firewall are, in the majority of the case, simply ignored by the user who click "yes", "allow" or whatever other message pops up. Wrong and sad but a very well documented and prevalent behaviour. This post was edited by Fritzly on Thursday, December 18, 2008 at 12:29. |
| #13 By 15406 (216.191.227.68) at 12/18/2008 12:38:52 PM |
|
#10: One fact I have noticed is your Distract-O-Matic technique of listing unrelated or semi-related "facts" when I've got you by the tail.
These are facts. Vista/IE 7/8 security features are not my opinion - they are documented features as part of a solid security model that is seeing great success and sustaining solid progress. How you can say that after a massive Patch Tuesday and this OOB patch (the second in only a few months?) amazes me. The linked study lists the MOST UNSECURE software running for Windows computers. Well, not really. It lists what they consider to be non-MS software running in an enterprise that needs to be more actively managed for patches. See, once again you've somehow forgotten or ignored the fact that they are excluding most MS software from the list. Probably for the sake of redundancy. It is entirely true that Microsoft has the best and easiest to manage security update mechanism and update systems available. Firefox does not come close to that capability. Really? Funny how my FF was patched yesterday afternoon while the MS patch didn't hit until last night. #11: No, even users in uniform turn off UAC ;) btw uninformed users probably make up the vast majority of computer users. People like your parents or grandparents. Your aunt that forwards every urban legend email she gets, etc. But if it was turned off that doesn't mean that Vista is inherently unsecured. I have no problems with UAC and don't fault MS for implementing it. It needs to be improved, but it's more feel-good security theatre. It doesn't really do anything other than put up one tiny roadblock that uninformed users can easily dismiss. I don't think anyone but the most ardent MS supporter would argue that an MS product or system could never be hacked. I agree with you, but that's exactly what Ketchum was trying to sell a year or so ago. "Vista has so many acronyms that there's no way it will be cracked." His position has now shifted to one where you have to run a specific configuration to even have a chance of not being owned. |
| #14 By 23275 (71.91.9.16) at 12/18/2008 11:39:07 PM |
|
Latch, the features and the way they integrate are DEFAULTS. How many times must one tell you? They are default settings and features and run that way out of the box!
Fritz, the majority of systems I have seen in stores are x64. We ship x64 8 of 10 times. Windows on Windows (WoW) works and I have yet to find one piece of 32 bit SW that does not run flawlessly on it. There may be some, but I have yet to encounter it. x64 will be the norm by the time Win 7 ships - that is what I predict. This post was edited by lketchum on Thursday, December 18, 2008 at 23:39. |
| #15 By 3746 (72.12.161.38) at 12/19/2008 7:39:26 AM |
|
To get an idea of the number of systems that Vista x64 is on there is a couple places to look. The STEAM harware survey is interesting. It gives you an idea what is going on in the Windows world. Basically they now have Vista sitting at 30 percent of systems Steam is on with Almost 7 percent of those being Vista x64. I think this is a good indicator of future trends and will only show an increase in the move to X64 as Windows 7 comes out.
http://store.steampowered.com/hwsurvey/ |
| #16 By 1896 (68.153.171.248) at 12/19/2008 1:14:20 PM |
|
Where do you live Iketchum, Orbit City? :-)
Seriously most of the Best Buy, the disappearing Circuit City etc. etc. here in Miami show systems running the 32 bit version. As I said I hope your forecasts are right and we will see a faster adoption of 64 OSes but... |
| #17 By 23275 (71.91.9.16) at 12/19/2008 2:10:31 PM |
|
Fritz, since about April of this year, we've seen and shipped far more x64 than anything else.
We just have not seen issues with drivers not being available and WoW is so good and so transparent, that software compatibility just isn't an issue. If 136.00 dollars (USD) is not too costly for a user, OCZ makes an 8 GB kit that is very fast and x64 with 8GB is transformative - even modest quads really haul the mail. By summer's end, we stopped seeing big box stores ship less than 4 GB and 6 GB was much more common and each was of course, x64. It is so dead on reliable and the added security just makes sense - I mean... forget browser plug-ins, host file adjustments and what not and just run the included x64 version of IE 7 - no FLASH and all that embedded script at all. It changed the web for me. I live in central Alabama in an area that is very progressive. A lot of medical research, steel, clean coal, mining, and automobile manufacturers that actually make money and create good jobs - so there is a lot of design work and a large ecosystem of related manufacturers. Perhaps surprisingly, SAKS Inc. has its headquarters here... go figure... SAKS HQ'd in Alabama - I am sure they conceal that fact from the NYC midtown crowd. We also have a coast that has the most amazing beaches I have seen - all that quartz from under the Appalachians created the star white sands one sees in postcards. |
| #18 By 8556 (74.84.87.66) at 12/22/2008 2:30:21 PM |
|
Currently 64-bit Vista adoption rate is about 25% of all Vista sales, and climbing. This post was edited by bobsireno on Monday, December 22, 2008 at 14:30. |
|
Write Comment
Return to News |
Displaying 1 through 25 of 215 Last | Next |
The time now is
12:04:42 PM
ET.
Any comment problems? E-mail us |
