- Internet Explorer Internet Security level switched to "High" ;
- Firefox as the default browser appears once again to be a satisfactory choice.
- Avoiding to visit websites of "dubious" nature is fine but is not a full gurantee. Being dubious is being more likely dangerous, not being dubious is not a natural safety criteria.

Only ultra high security (AKA, Don't use) will be enough.

Strangely enough I am not vulnerable to this flaw even without a patch or workaround.

It turns out that I never visit websites of a dubious nature, and I don't click email links/attachments unless I know why I'm getting them. Most importantly, I don't update my bank information at Banks I don't do business with.

you so crazy.

GoodThings2Life: "I never visit websites of a dubious nature" will not save you if (normally) innocent sites get hacked and the exploit uploaded to it.

From http://blog.washingtonpo...ernet_explorer_f_1.html

"According to a list obtained by Security Fix, hackers have infected at least 200 sites, many of which you would not normally expect to associate with such attacks (i.e., porn and pirated-software vendors). Among the victims are a regional business council in Connecticut, a couple of vacation resorts in Florida, a travel-reservation site, an online business consultancy, an insurance company, and a site featuring things to do at various cities across the country."

isn't IE7 protected

IE7 is vulnerable as well I believe.

IE 7 beta 1 (January) is affected, IE 7 beta 2 (March) is NOT.

Update your beta.

Buggy

There's a temporary third-party patch available at: http://www.eeye.com/html.../alerts/AL20060324.html

I haven't installed it so I can't vouch for its safety or for how effective it might be.

Thank you very much! The article should be modified to reflect the availability of this patch as well as expert opinion on whether it is in fact a working solution.

topic ie.
but windows vs linux battleground.
it shows how much we like that,just need simple reason to start it.
come on, use ur brain and software u like and face whatever happens.
some times i think that we humans are for entertainment of unknown forces.
;-)

And this is why you don't use IE!!!!!!

Amen to that brotha.

mark my words, things are going to change once people are going to get ie7 by default.
ms has got too serious about security.
whether we like it or not FF and opera's market share growth is going to SLOW DOWN.

no im not a ie fanboy.
and i dont like ver 6.
right now im using opera and ff.

Yeah, IE is not for ppl who are not savvy in computer.

As for me, i still like IE a lot. I know how to take care of myself.

All Firefox and Opera users said Amen

Agreed

But IE7 doesn't have spiffy extensions ;)

Seriously though, MS had better hope that their new security is as good as they claim; expectations are high and if there's an exploit like this in the first few months, people are going to associate MS with "insecure".

Before Ford started its 'quality is job 1' campaign, its name was something of a four-letter word to car owners ('found on road dead', 'fix or repair daily', etc. ;) They still haven't fully recovered their image...

Hence my love for Maxthon. No new rendering engine, but I'll never deal with incompatibility or monstrous memory-munching.

You said it, man! Maxthon fan here too. :D

First, see http://www.trendmicro.co...sp?VName=JS_DLOADER.BXR, and look at the reported infections, and distribution potential (and the statistics as well...).

Now--why is this such a critical flaw if the risk is low? Is the "virus" (trojan, worm, or whatever you fault-finders want to call it) just flawed, is Trend-Micro's assesment flawed, or is the vulnerability not as critical as it is made out to be? Anyone?

EDIT: Oh, and why/how does the Javascript take advantage of IE if Sun Java provides the means of reading them (or am I mixed up)?

Er, Sun Java and JavaScript are two totally different and unrelated things.

Microsoft's response is doublespeak:
We won't do anything until patch Tuesday, possibly before, unless our customers are affected.

[fastforward a few minutes to when customers *are* seeing this...]

"Microsoft is working with Law Enforcement to root out the evils of the underground. Sure it's trying to plug a drain with a colander, but by gosh it makes it seem that even if customers are hit, it's not our fault!"

They seem to want to cover their own asses instead of design around these constant issues.

IE needs a rewrite. Is IE7 going to be any better?

even if IE7 is any better, there will always be idiots out there willing to get paid to find software weaknesses ... some even do it just for fun .....
All software has issues like these, but most frequently, malicious coders focus on the most popular titles ....
even with OS'es ...
Unix or Linux are no better than windows,
is just that crackers have no interest in finding the flaws

Yes...that's why Mozilla usually has fixes within 24 hours, and Microsoft waits till their patch tuesday or even later...

Yes, but patching Mozilla doesn't break anything but Mozilla itself. With IE that's different - they have to test the patch thoroughly prior to releasing it, because it may break so many applications that depend on IE's rendering.

"Unix or Linux are no better than windows,
is just that crackers have no interest in finding the flaws"

You have no proof of that.

Well then perhaps applications shouldn't rely on a HTML renderrer for their functionality, especially one that is prone to security problems since it's introduction? Even Microsoft has changed the HTML Help system that has then broken their own products!

Who's fault is that?

Do you really want Microsoft to go back to their old method of releasing patches on a daily basis? Remember how much of a pain that was to keep up with all of the latest updates?

And you have no proof otherwise. Why would it be any different than any other software out there MS or not? They all have their flaws, however they all do not have the same size target painted on them.

actually, i do have proof, being that a few years back i got paid to reverse engineer certain apps. in order to exploit machines running windows ME .... why windows me ?? because it had more users than "red hat" or even "mandrake" at that time ... :P

pfft, Linux runs xx% the internet and it's not getting pounded on by hackers. That's all the proof you need.

There are no exploits because it's constantly being updated and bugs are fixed daily.

There is tons of proof out there, google for it.

That's not proof.

It would be fine if the patches didn't require reboots.

Every other OS vendor has been using that model for years. It works.

personal attack removed

PLEASE NOTE
8:00 to 11:45 a.m. expect serious post from me ....
1:00 p.m. till midnight ... im a total @ss :)

( all times -8 GMT )

it's constantly being updated and bugs are fixed daily.

so this means Linux does have contain the same faults ....
plus, imagine if i had to fix XP daily ....
ahHAHahHAHha
boy, go read a book or something ....
stop posting fanboy comments ....

LOL and you call ME a fanboy.

WOW, a personal attack.

I bet you feel like a man now, dont-chya.

no, im no fan boy, i use Unix, linux, mac OS and even windows .... no preference in particular, all im saying is that they're all the same

*** checks pants ***

OH YEAH !!!

there is such a thing as a less desirable target. to deny that microsoft is not a more desirable target because of its large user base would be ludicrous. in all likelihood linux, mac, and any other os has a multitude of security vulnerabilities waiting to be discovered as soon as their market share increases.

i'll take the reboot every once in awhile. i guess that's the price you pay in order to be able to inter-operate quickly between explorer and ie. i'll also continue to user firefox, but that's another story.

exactly ....

They aren't all the same (other than they all suck at one task and not so much at another). You should re-read your comment then because it's wrong. more than 45% of the internet runs on Linux and Unix yet only Windows is getting sploited. I don't buy the argument that it's a marketshare thing because it's only a marketshare thing in end user space.

You want to spread something then you target servers, Linux and Unix aren't targeted for a reason and it's not because it's "not used".

I'm not complaining, I don't mind once a month reboots. I think if they found a way to reduce the reboots when patching and start releasing patches daily then that would dramatically reduce the vulnerability of Windows systems on the internet.

actually, what do you think all those
"infected" windows machines are used for .... ???
whats that .... ??? do i hear DDOS attack on a linux server ???
the thing is that you're probably right, Unix, and Linux are indeed stable, but so are their exploits ...
no matter how much they "patch" them a unix server will ALWAYS go down performing the same "exploits" since its early stages of development

I didn't deny they aren't a target.

They don't have a larger installed base on the internet.

End user base, ABSOLUTELY.

Server space, no way.

Where are the Unix / Linux sploits?

7 out of 10 (guestimate) of the deadliest "internet killing" worms have not been end user initiated, they have been windows port and service vulnerabilities.

Why haven't there been any for Linux or Unix (again, more than 1/2 of the internet servers are Linux and Unix)?

there you go ....
thats all Unix / Linux are good for ... SERVERS ...
this is precisely why there are far more flaws on windows .... because windows can do more than just serve files :P

fewt, I don't have the numbers yet--but the Windows Server market share is GROWING, not shrinking. Numbers to come...

"Server space, no way.

Where are the Unix / Linux sploits? 7 out of 10 (guestimate) of the deadliest 'internet killing' worms have not been end user initiated, they have been windows port and service vulnerabilities."

Linux/Unix are used alot for Intranets separate from the Internet, so that may or may not be true. Can't disprove it, but you certainly can't prove it either. Again I'll find some numbers shortly.

Aha, here at http://www.cooltechzone....p;task=view&id=2026 :

"Gartner, Inc. recently reported that sales of Windows systems accounted for nearly 37 percent of all server revenue in the last quarter while Linux accounted for 31.7 percent. Windows has a 5+ percent lead over Linux, which should be the cause for celebration at Microsoft."

It goes on to say more or less that Linux may have outsold Windows Server in quantity since MS sells Server for more $$$ than Linux, nonetheless this backs my point. Even MS is beginning to gain the advantage in the Server market.

The numbers are out there, Linux is outselling Windows in internet space.

Windows is selling too, don't get me wrong.

There's tons of proof out there, look for it.

Deleted "personal" attack...

I'll be the first to admit that Linux sucks as a desktop. I used it for years, and know it better than anyone.

It sucks.

Gnome and KDE are both great but the underlying OS is just not there driver wise (first thing that comes to mind, there are many other levels that it's not there).

If you are a geek it can be very powerful, every bit as Windows, but it's just not there.

(heh)

Your "proof" proves my point.

There's lot and lots of Linux and Unix out there, but there are few if any viruses / worms running around.

Actually I've noticed about two to three new *nix viruses a week since the beginning of the year, much more than ever before. Just because you don't see them doesn't mean they don't exist. The truth is most servers are not directly connected to the internet, and the clients are more vulnerable and they often are connected to the internet.

I was never out to say that MS is more or less secure in the Server realm--I think MS Server 2003 is more vulnerable than Linux (though anyone here who thinks Server 2003 is like XP--wrong. Windows Server has more security than XP by far). My only point is that you made incorrect or quite possibly incorrect statements regarding Server market share. You used this information as one of your premises in your argument. More likely than not, your conclusion is correct.

You posted server shipments. I said internet servers specifically.

You are absolutely correct that MS is shipping more servers, and more power too them. Linux and Unix still have a much larger presence on the internet. Look at netcraft as an example (though not a great one).

but he's right ....
most unix/linux servers are under firewalls hardware and software based, as for windows machines .... ( which are the most commonly targeted ) are utterly exposed

HAHAHAHA

No, the Windows servers should be behind the same firewall / IDS / etc that the Linux servers should be behind.

Anyone that puts any server on the net in anything other than a honeypot config should be walked.

On the spot.

This article is not about servers, though, is it? It's about Internet Explorer, a browser which runs on the vast majority (fact) of end-user machines accessing the internet. Your argument is a moot point in relation to this article, and just seems like yet another shoe-horned reason to argue hackneyed "Linux pwns Window$" threads.

"This article is not about servers, though, is it?"

No, you are absolutely right it wasn't.

What--you mean we might actually agree on something? :)

I kid, I kid...

hrm, you got paid to reverse engineer softyware? (1) that violates the user agreement and invalidates your right to use th software and (2) that violates (c) laws and is illgeal. I wouldbt be advertising this fact :)

yeah but they tried that and it didn't work for their biggest customers: businesses. it was too hard for the sys admins to keep everyone up to date with random releases.

the reboot thing i can't speak to as i'm not quite sure as to what's in use at all times and what could be shut down and brought back up without causing catastrophe.

thank you.

IE is the major weakness of windows. I've been using a computer with no IE, firewall, AV, or anything for a while now as a test. Using Firefox, so far it hasn't picked up a thing.

netstat says 0 ports open by default. That may have something to do with it.

What about Ubuntu? Isn't it attempting to get there?

fewt, that's why my last round of Fedora updates demanded I reboot, right? :) Not saying you're wrong... just that you're ignoring a lot of exceptions with blanket truths that aren't true.

Just because the Linux community releases their fixes right away rather then once a month doesn't mean that you have to turn all physco on us.

Yep, but unless they fork the kernel it won't get there any time soon.

The driver model needs to be re-written so anyone's dev shop can whip out drivers that will work with 2.x.100 just as well as 2.x.1 with NO code changes.

This whole "taints the kernel" crap, WTF WTF is that all about? Who cares that it "taints" the precious kernel? I don't, make it so my hardware will work. I care not about the politics of the GPL and drivers, fix your sh*t so it isn't broken (aimed at the Linux kernel devs).

That's step #1, until Linux dev guys do this Linux will always remain at the bottom of the heap barely working on modern hardware.

Example: My ATI Xpress 200 is "supported" but yet every time there is a kernel release the developers have to spend time working around kernel changes. This takes time away from fixing bugs like the one in the ATI Xpress support causing it to not work *AT ALL* with dedicated memory. It works great in shared memory mode.

Next example: My 7-in-one card reader. Completely useless in Linux. My WIFI adapter, requires a Windows driver wrapped around an NDIS emulator (basically). What's hillarious is that the ndiswrapper has to account for x number of kernel revs but yet it works with any rev of Windows driver thrown at it.

Amazingly stupid that an OS that's been developed by the world to do amazing things (and it does) can't even work on my common hardware because they can't not change driver code for more than a few days.

#2, Xorg - complete crap, antique and worthless. End users can't even change their refresh rate without having to generate a custom modeline and edit a config file.

Rediculous.

I can and have made it *ALMOST* completely work with Linux, but I had to mess with it for DAYS to make it all work. This from a guy that knows Linux inside out, and can troubleshoot Linux systems blindfolded backwards with my hands tied .. you get the idea.

The average user is going to give up the moment his display comes up and it locks solid the moment he moves the mouse. Happens on lots of ATI cards with Ubuntu Breezy unless you boot single, and add Option "NoAccel" to the xorg.conf Who the he** is going to know how to do this unless they are a geek? They will run back to Windows and complain about how much Linux sucks.

Unfortunately, they will be right.

Hopefully things will eventually change, but I'm not holding my breath.

The reboot was probably for a kernel patch. Just one of the 10 you installed. ;-)

I never said that using Linux means you *NEVER* have to reboot, only that you don't reboot nearly as often.

You also have the option of not rebooting (hopefully you have it in Fedora) until your maintenance window, since the update only places files on the filesystem.

It didn't work because guys like me spent all our time rebooting our dev and production environments.

If we could eliminate the constant reboot cycle, maybe configurable automatic updates for install no-reboot patches m-s and reboot patches on sunday of week 1 and then follow with production on week 2. There are many ways to make the process work for everyone, hopefully with Vista they have put some effort into it. (XP automatic updates is just OK, it's not GREAT)

"IE needs a rewrite. Is IE7 going to be any better?"

Probably not until we see IE.NET or some other .NET based browser. .NET is invulnerable (theoretically) to buffer overflows and the like.

And the .NET 2.0 WebBrowser component doesn't count. That's just your standard exploitable IE pane.