Print this article | E-mail this article | Comment on this article

Flaw Found in Windows XP SP2

By Nate Mook, BetaNews

August 20, 2004, 5:06 PM

Security firm Secunia has detailed a new flaw in Internet Explorer that affects users running Windows XP Service Pack 2. The vulnerability involves drag-and-drop, which can be used within a Web page to place a malicious program in the Windows startup folder.

Secunia has branded the issue "highly critical" and says it comes from "insufficient validation of drag and drop events issued from the 'Internet' zone." Users are advised to disable Active Scripting, or use a Web browser other than Internet Explorer.

The security researcher who discovered the flaw has posted proof-of-conccept code, which involves dragging an image across a Web page. But Secunia says it could be simplified to require just one mouse click.

Microsoft, however, brushed off concerns over the potential issue. "Given the significant amount of user action required to execute an attack, Microsoft does not consider this to be a high risk for customers," the company said.

Add a Comment (69 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

By zhanghenihao

posted Nov 12, 2008 - 3:39 AM

thank you for http://www.wow-powerleveling-wow.com/ wow gold
http://www.powerleveling-wowgold.com/ wow gold
they serve me ,i really said that thanks

Score: 0

By starpro

edited Oct 2, 2005 - 10:44 AM

This is quite different but I can't find answer anywhere. Win XP Home main boot login the p/w field is already filled that is not the p/w given. Hard to erase but eventually you can fill in your own p/w.. Anyone? Thanks

Score: 0

By Ozieo

posted Sep 6, 2004 - 12:14 PM

I heard from a trusty source that even Micro$oft employees use Mozilla Firefox as a browser.

Score: 0

By bourgeoisdude

posted Sep 6, 2004 - 4:11 PM

Really? What source?

Score: 0

By GoodThings2Life

edited Aug 25, 2004 - 4:04 AM

The only thing "stupid" about all of this is everyone running around trying to convince people of something others don't believe in. "IE sucks!" "IE rocks!" etc.

At home, people should use what they like, and at work they should use what their employer likes and deal with it. Nobody asked, "Do you like it?" They simply said, "Here it is... take it or leave it." Don't like what your employer gives you? Talk to the IT group there.... if they approve alternatives, fine... if not, tough luck!

The fact that so many people bash a product they don't like but they use it day after day is where the stupidity lies.

Score: 0

By qx2

edited Aug 24, 2004 - 4:12 PM

Put your stupid linux or mac pc online and give me the freaking ip address, hell you can just give me your URL, and i bet you I can crack your box. Take my challenge and you will see that no box or software is 100% secure. Why to you think the DOD (department of defence) and federal government isolate there networks from the rest of the world. They know that given enough time any software can be hacked or cracked. Give me a shoot at your pathetic code, come on be a man, I'll prove it to you. Anyone with enough computer security experience knows that the only true mesure of security (or how secure a system is) is how long it takes to crack and the amount of processing power required to do it. No system is hack proof.

There is no patch for stupidity.

Score: 0

By yousuck,man

posted Aug 25, 2004 - 5:33 PM

NOTE: i apologize to everyone else for making a personal sidetrip here. i do feel though, that the time has come for someone to make a stand against the useless and senseless and noninformative claims made by inaccurate self assessment from unexperienced persons.
this is a board for reading and getting something usefull out of, and not for listening to children and their egos.
i rarely make any posts, but i do feel so strongly against the continuation of these useless and vapor-filled personal claims.

this is for "QX2", (or queen xylophone II), since s/he made some personal comments and truely displayed his/her ignorance, arrogance, and intelligence (or lack thereof). And, to all of you blind idolatrous windoze users, using your 'point-and-click' world (which, i remind all, was stolen from macintosh), browsing around on the internet unsuspecting or knowledgible of the superiority of linux, (and macintosh). while you live your lives inside the box of hubris, behind bill gates and his ego and need for power, enjoy the notion that those of us linux users, who actually know the difference between flavors and microsoft (unlike windows users, and what advantages there are with linux that are not offered with microsoft, -also blind to windows users) are creatively and actively assisting in a more diplomatic and sensible operating environment. and while you settle for your run of the mill, microsoft-fisherprice "operating system" (although the word 'operating' here is a relative term, and also somewhat subjective in reference because of the continuous viruses and bugs that affect and infect windows), enjoy the notion that 9 out of 10 networks are run with linux.
and, as for your claim that 'no software is 100% safe', linux and especially macs (although i am not a mac-advocate) have been proved to be far less vunerable than windows. this is precisely why your precious dod, armed forces, and major governmental networks are run on linux.
and, as for your offer to 'crack my box' or anyone elses, that is something that i would obviously be more than willing to subject myself to with you behind the wheel, or keyboard as i doubt that by your sentence structure, lack of an informative response, and blatant offering to 'crack my box' that you are of legal age to drive. and less do i feel that my computers or networks would be subject to any harm with you 'crack'ing, or, attempting to do so.
...this is the problem with todays youth, just another example of an unintelligent and naive little child...)

and, about your inaccuracte claim that
"Anyone with enough computer security experience knows that the only true mesure (SIC) of security (or how secure a system is) is how long it takes to crack and the amount of processing power required to do it,"
i resign that these claims are false, and very clearly identify you as someone who is not in the security field, let-alone someone with any experience 'crack'-ing.
so, rather than surround yourself with terms that have no identity within your fictional possessed mind, why not spend your time accurately assessing what it means to 'crack' a computer or network infrastructure, and then give opinions that are fact based.
i can tell you from first hand experience, and from actively having government clearance for years, that the (glamorous) live you suspect behind a computer is something that you will not find. you impress me not, and in fact, if you would like to 'crack' my box sometime you little teenie pion then let me know.
until then, go on and enjoy your little cupcakes, fruit juice, and oreos, and leave the big work to us professionals who know what we're talking about.
AGAIN, i apologize to others for feeling that i must include this in post. please accept my apologies.

Score: 0

By qx2

posted Sep 20, 2004 - 10:54 PM

You are clearly a moron who just loves to hear himself talk and can't shut the f**k up. if you have any balls post your url or ip and i'll show how much i know. I'll shove a back door so far up your (system) a** you'll taste it for week and when you are done with the taste your dumb a** will have to resort to a low level format, no GRUB will not help you moron, to get read of me idiot.

Score: 0

By qx2

posted Sep 20, 2004 - 10:54 PM

You are clearly a moron who just loves to hear himself talk and can't shut the f**k up. if you have any balls post your url or ip and i'll show how much i know. I'll shove a back door so far up your (system) a** you'll taste it for week and when you are done with the taste your dumb a** will have to resort to a low level format, no GRUB will not help you moron, to get read of me idiot.

Score: 0

By qx2

posted Sep 20, 2004 - 10:54 PM

You are clearly a moron who just loves to hear himself talk and can't shut the f**k up. if you have any balls post your url or ip and i'll show how much i know. I'll shove a back door so far up your (system) a** you'll taste it for week and when you are done with the taste your dumb a** will have to resort to a low level format, no GRUB will not help you moron, to get read of me idiot.

Score: 0

By Sinequa

posted Sep 7, 2004 - 3:56 PM

yousuck,man

Your Mouth has out run you wee little brain.

For all you Linux is great fanboys/girls

Did any of you really do your homework?

So.. Linux/Unix and Mac/Unix has no flaws?

Did any of you pull your head out of your butt and wipe off your eyes?

If Unix based OS have no flaws why are they being updated just as often as MS products? Who does the development work for Linux?

Why does over 60% of the Information Analysis and Infrastructure Protection Directorate of the US Government list FLAWS and HOLES for Unix based products if its purfect?

Why if Unix is perfect is it only used by less then 10% of all computers? Unix has been around since 1958, but carries only a hand full of operators, MS has been around since 1981 but has most the worlds computers under control.

So what we have is 60% of the flaws goto less than 10% of the computers and 40% of the flaws goto 90% of them. Seems that in this reality that the perfect OS has more flaws than the inferior product. Obviously it must be another govenment conspericy right yousuck,man?

Score: 0

By ptancreti

posted Sep 1, 2004 - 12:18 PM

At the momment, the world is Microsoft-centric. I would agree that Linux and Mac are the most advanced personal OS's know to mankind. But, let's think about the future; if things go your way, Microsoft will go away and WHO will fill the void? Mac, HA! Linux, most likely. How many flavors of linux are there? Is there a "Single Linux Unified Theory" yet? Can companies afford to make that many versions. How about Anti-virus, sure it doesn't affect Linux and Mac users now, but what about when that's all there is..
These are cycles people and we are going through the first, maybe second one. Things will change so quit being so childish. If you guys are a hint to the "Computer Industry Leaders" of tomorrow, than I am truely scared (SkyNET).

Score: 0

By GoodThings2Life

posted Aug 25, 2004 - 11:52 PM

You would probably be right if only your post made more sense and had more accurate statements that were supported by facts rather than comments intended to bash those who don't believe in your Linux/Open-source fanboy club.

Score: 0

By yousuck,man

posted Aug 26, 2004 - 1:32 PM

perhaps if you read it then it would make sense. the proof lies in the facts. if you actually knew what the hell you were talking about then it would be moe tof course, if you really actually believe that windows is 'superior' to linux or that linux is not safer, partially because of it's not the 'mainstream' platform, then perhaps you should talk with someone who works in the field, or knows about computers. it's obvious that you know nothing.

Score: 0

By RehabDJ

posted Aug 25, 2004 - 11:40 AM

Quite true. You lock your house as a mere deterrent to a break in. The real theif can always get in post any security.

BTW if you find that patch for stupidity, PLEASE tell us.

Score: 0

By GoodThings2Life

posted Aug 25, 2004 - 4:18 AM

Agreed... to a point. The only truly safe connection is a disconnection.

I will simply point out that whether SP2 has flaws or not is an ignorant debate. Of course it does. There will be more. There will always be more.

Just like there will always be flaws and bugs in Netscape, Opera, Mozilla (regardless of flavor) and every other piece of complex software ever written.

It is obvious to realize that IE has more users so the focus on IE is greater. As use of alternative browsers increases, so will the number of dangers in those products. Anyone to dispute otherwise is a fool.

Moreover, if we're going to look at security flaws... let's admit the biggest one of all! Let's admit that end-user-incompetence is the worst flaw since so many people use weak-passwords, don't pay attention to the actions they take, and don't take time to properly configure any of their software to work better for them. They are intimidated by the computer from word "boot", and yet they will go to the same "crap" websites and use the same dangerous software simply because "it's cool and popular" without even taking time to read the warnings put into programs. They allow their computers to be junk-infested piles of manure, and if they even realize it at all it's a shock. Most assume it's NORMAL for their computers to act that way.

Score: 0

By AlwaysIcey

posted Aug 24, 2004 - 2:55 PM

I would have to agree with Microsoft for the moment on this.. Until the proof of concept code is set to show that a single mouse click will cause a malicious program to be saved to your Windows Startup Folder (or anywhere on your computer without your knowledge), it's not as big of an issue as it's made out to be.

Why????
Because most people don't even realize they HAVE a Windows Startup Folder, let alone how to drag a file to it.
AlwaysIcey

Score: 0

By membreya

posted Aug 24, 2004 - 11:59 AM

To everyone and anyone complaining about online security and any new flaws that may be discovered... I've found the best method of making your computer hackproof..no it's not linux, it's not mac...

Disconnect your computer, that's the only way to REALLY be 100% sure you're hackproof

Score: 0

By utomo

posted Aug 22, 2004 - 10:57 PM

because just few days and now we have this problems I think it is now the time for Microsoft to prepare win xp sp2a. to solve all the problems and make all customer happy.
Microsoft must leave some developers to maintain win xp sp2, and not pull back all the developers to longhorn project. to make win xp more better and more secure.

Score: 0

By ghammer

posted Aug 25, 2004 - 4:15 AM

So, if I visit a website and it says 'Go to Start-Run and type cmd now drag this picture into the CMD window'. I can run a program that may not be in my best interests?

Whooo! Stop the presses! I can run programs in Windows!

I'll bet the same 'highly critical' problem exists in all versions of Windows.

The nerve of MS allowing me to launch an app!

All this tidbit has done is to discredit Secunia, who I've >never< heard of.

Score: 0

By rijp

posted Aug 22, 2004 - 11:25 PM

I have posted this comment several times before, so i think its time to post it again.

What is Microsoft? Its a Fortune 500 company. Its 130 or so.. out of 500. That means its a HUGE company. Excess of 10,000 employees.. What products to you think they use? Linux? Apple? AS/400? Hell no.. They use, duh, Microsoft. Every product designed at Microsoft is used BY microsoft.. been that way for 20 - 25 years now. They manage to turn a profit, and utilize their own products. ALL of their software is exclusively Microsoft. Do you actually think a Fortune 500 company 12 billion dollars large... uses failed software? NOPE. Microsoft manages just fine using their stuff. Microsoft is probably their own biggest client.. Stick that in your peace pipe and smoke it. Somewhere, someone has to realize, Microsoft isn't perfect, neither is any other company. But one fact remains.. No other company on the 500 list uses a product from another 500 company.. except 1. ALL of the fortune 500 companies use Microsoft software, in some way shape or form. Not all companies shop at walmart, or buys GM cars, uses Exclusively FedEx or UPS to ship, or drinks Coke. But every Single Fortune 500 company uses just 1 other 500 company software. Microsoft. That in and of itself is a statement about Microsoft. You can blow smoke up my derrier and call it whatever you want, but let's be real people. Microsoft is the envy of the world. Plain and Simple. Get over it. EVERYONE wants to be Microsoft. Period. Jealousy is a b****. Move on.

Score: 0

By tremens

posted Aug 23, 2004 - 10:12 PM

Theres no disrespect for microsoft due to lack of innovation. It's their business practices, if your envious of this, you must worship SCO, Enron, Haliburton, Walmart, etc. I don't aspire to @!#$ fellow American's over to get rich. AND I'm certainly not jealous of anyone doing so.

Score: 0

By simonchretien

posted Aug 23, 2004 - 5:51 PM

"I have posted this comment several times before, so i think its time to post it again"

Well, maybe you should consider stopping, that was a pathetic post.
Who cares which company uses which products or if you use your own products at all.
Just the fact that they will continue to ignore another potentially dangerous bug is stupid.

Score: 0

By TheRecklessWanderer

posted Aug 23, 2004 - 5:02 PM

Here Here!

Of course, you don't mean they use just MS product. I am sure some of them use Linux Servers. I know that Intel uses some Linux servers, and they are in the top 500, I am sure, but none the less...

Here Here!

Score: 0

By Verdauga Greeneyes

edited Aug 22, 2004 - 10:10 PM

I think the problem is that people are treating these security flaws like they are bugs, when they are just something the clever programmers at Microsoft didn't think of. If you write a program, making sure it's -bug- free, that doesn't mean there aren't ways it could be exploited. In fact you'll have to secure every feature individually, and -still- keep it bug-free. And no-one can think of everything. This is why companies hire professional crackers: because their programmers just write the protections, it's not their job to find ways into their own software. And even those crackers won't find every flaw, there's always someone else who will think of something new which makes it completely simple to get past all securities already in place. Firefox maybe secure, but the people who programmed it have been able to learn from the usual target: Microsoft. And maybe in putting those securities in place they see new flaws that others didn't see and solve them on the spot.

A program can only be flawless until someone thinks of something new. Nothing more, nothing less.

Score: 0

By coolkyatt

posted Aug 22, 2004 - 7:56 AM

I don't mean to sound like a MS fan boy, but come on, half of these flaws that these MS bashing firms report your hackers and script kiddies don't know exist untill its made public. The only ones compromising our systems is these firms that are quick to say "ohh look MS screewed up again", and post a "Flaw" in every medium there is. (Ok you can start bashing me now)

Score: 0

By nilst2004

posted Aug 22, 2004 - 5:04 AM

I haven't noticed any problem with sp2 - yet. I believe that the found flaw is fiction.

Score: 0

By simonchretien

posted Aug 23, 2004 - 6:02 PM

Secunia doesnt release information about fictional bugs. Just try gathering some information before posting crap.

Score: 0

By zridling

posted Aug 21, 2004 - 7:01 PM

I'm more concerned with slower internet in XP2, and if you've received this message: "EventID 4226: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts," go to Dana Epps' site for the NMAP fix in XP2 at http://silverstr.ufies.o...og/archives/000669.html

Score: 0

By linasp

posted Aug 24, 2004 - 5:44 AM

This is not bug, it's a feature! XP2 allow only 10 concurent network connections, because of "future threat from attacks like blaster and Sasser that typically spread by opening connections to random addresses.". You can change it by modifying registry keys.

Score: 0

By Sno

posted Aug 21, 2004 - 1:27 PM

The reason everybody picks on Microsoft is because it is the system. Everybody fights the system but still uses it.

Finding Exploits and Hacking any microsoft program is like Shoplifting Walmart or 7-11.

Finding Exploits and Hacking any open source program is like shoplifting from a mom and pop store.

Who the hell wantes to fight the underdogs?
You want to help the underdog.

The staff of mozilla is much smaller but the programs it concentrates on are much smaller. It has the Gecko Core, Mozilla, Firefox, Thunderbird and a few other small programs

Even tho Microsoft has a HUGE staff and Lots of money they have many products around the world. They don't concentrate on small bugs that cause no revenue change. They do what makes money. They make or fix programs that sell to major corporations with the million dollar contracts. My Fathers hospital has a 3.6 million deal with microsoft to use any software of microsoft at will(MS Server, office, access, SQL). Why would microsoft care about a free 10 meg program?

Score: 0

By simonchretien

posted Aug 23, 2004 - 5:54 PM

Poeple like you make Jesus cry.

Score: 0

By speedmeister

posted Aug 21, 2004 - 2:41 PM

Maybe in the short run it won't make Microsoft much money to improve Internet Explorer since they don't sell it separately from the OS. In the long run however, greater interest in Mozilla is going to force web developers in turn to adopt designs that work in other browsers. This in turn will reduce criticism of Microsoft's competitors having trouble rendering major pages. Microsoft neglect of Internet Explorer is going to push consumers to use something else. Once they see a quality alternative to Internet Explorer exists they are probably going to be more willing to consider alternatives to other Microsoft products.

The growth of Mozilla isn't going to kill Microsoft but it is an area where there is great potential to bring attention to some of Microsoft's shortcomings.

Score: 0

By Sno

posted Aug 21, 2004 - 10:27 PM

Well there is one problem. The average person is perfectly Fine with IE even with the wholes and flaws.
The average person does not care if its the best as long as it works.

Score: 0

By purvin

posted Aug 31, 2004 - 2:03 PM

Well isn't the question that how can Microsoft put out their "greatest service pack" and not have fully tested it. How is it that others are finding the flaw that MS should be finding?

Score: 0

By speedmeister

posted Aug 24, 2004 - 1:13 AM

" Well there is one problem. The average person is perfectly Fine with IE even with the wholes and flaws.
The average person does not care if its the best as long as it works."

Definitely most people could care less whether or not a web browser has support for alpha transparency for pngs or complete CSS2 support.

The only problem with your statement is that I would say for many people Internet Explorer doesn't really serve their needs. Even the least technically saavy user could appreciate spending less time dealing with worms or viruses or spyware. If Firefox seems to work fine for their favorite webpages and the spyware doesn't seem to be coming back what reason would the average person have to continure. They might never use tabbed browsing, themes, or a javascript debugger but that doesn't mean that they won't benefit from the improved security and stability.

Score: 0

By GrievousX

posted Aug 21, 2004 - 11:40 AM

This is sensationalism, nothing more. The "Flaw Found in Windows XP SP2" is apparently a flaw found in Internet Explorer. Did anyone honestly think that SP2 was going to be the last security patch for Windows XP? I believe this is just Secunia's way of making a name for themselves. "Ew! Ew! We were the first to find a flaw in XP SP2!"

Although, honestly I know nothing about the company and this is probably an isolated event for them, it just seems like companies try to make a name for themselves by being the first to point out a Microsoft problem, thus making them better than Microsoft, in a subliminal way.

Just my 2¢.

Score: 0

By speedmeister

edited Aug 21, 2004 - 8:58 PM

"I believe this is just Secunia's way of making a name for themselves."

Oh Please! Secunia is already a well known security firm. Just because you haven't heard doesn't mean that they haven't done anything. They list thousands of vulnerabilities for different products. Their site is a good resource for keeping track of a security vulnerability not all of which they discovered. A quick google search finds over 90 thousand references to secunia.com from external pages. That's a lot more than the ~24 thousand that betanews has.

" honestly I know nothing about the company"

Given your polemic response to this story that's pretty obvious. And it's pretty obvious you didn't bother to read the secunia advisory either.

" This is sensationalism, nothing more."

While the headline is a bit deceptive it's not deceptive to say that Internet Explorer has security issues. 42 security advisories for Internet Explorer 6 in the last two years isn't sensationalism nearly half of which are of a serious nature. The pr disaster that was Download.Ject two months ago wasn't sensationalism. Microsoft has known for years that security bugs were a major problem with their software. Two months ago the only way to stop Download.Ject was to stop using Internet Explorer. Having already had a problem of that nature should really make you question your trust in Microsoft.

"it just seems like companies try to make a name for themselves by being the first to point out a Microsoft problem, thus making them better than Microsoft, in a subliminal way."

Nope. What we have are companies that are letting people know about these issues. If you have bothered to read Microsoft's security bulletins you would realize that virtually all of the security issues in Microsoft's products were discovered by outside programmers. It is companies like Secunia, Grey Magic, etc. that are bringing these issues to light.

GrievousX, you clearly haven't been reading site very long if you aren't familiar with some of these issues. If you want to be treated seriously you should spend some more time to familiarize yourself with the issues.

Score: 0

By wyldtwyst

posted Sep 10, 2004 - 10:18 PM

I must say that 95% of the material I have read in this thread is intensely over-dramatic. I am no IT Goddess and I am not old enough to remember the punch-hole computer programs but I do know a thing or two about computers. I am a web-developer and programmer working off Mac and PC platforms running high-end applications every day. Like many, I use Windows at home. I have been an active PC and internet user since Windows 3.x and not once have I had serious errors or crashes that have destroyed critical information or that couldn't be fixed or the settings/files restored. I spend much of my time repairing PCs that have been hit through vulnerabilities, but these are normally problems that could have been avoided had the user maintained a higher level of security on their PC (maintaining subscriptions to anti-virus software or firewalls, creating backups, etc.) Like so many I prefer a Mac for some applications and PCs for others. It's not about MacDonalds vs Mom-and-Pop exploitation and it's not about preferencing based on who came up with the best GUI first, etc. This is about functionality, accesibility, and ease. I use MSIE because it is built by Microsoft for Microsoft, the same people who happened to come up with my mail program, my multimedia program, and many others that were all automatically installed with Windows XP. I use MSIE because 95% of the people who surf through my websites are using MSIE (likely for the same reasons I am) and it helps me in maintaining a degree of uniformity in deciding how I will write my HTML codes. I use MSIE because it gets me everything I want to see and use and most of the time I don't even need a new plug-in. Perhaps using ActiveX makes me more vulnerable to vicious programs. Perhaps using Outlook exposes me to threats from malicious e-mail attatchments. Perhaps using P2P networking is an exposure of my digital self to the evil world of file corruption. Or maybe the simple fact that I have a cable hooked into the side of my ethernet card makes me available to any hacker on the planet. So far my virus software is updating, my firewall is firing, and simply exercising a sensible degree of caution has kept me safe from these end-of-the-world security vulnerabilities caused by Microsoft's 'Monopolistic oversights that could have been prevented had they thought of everything before the hackers did.' It's a push-and-pull world. I have to agree that security is relative. Microsoft spends millions more in their beta departments because people worldwide spend millions more on their products. Why should a hacker focus on cracking programs and operating systems that are numerically inferior [by a landslide] to Microsoft when it comes to usage and distribution? It's just not worth the time and effort unless they've got it in for a particular group of users, and why aim for the cherry when you can take on the whole sundae?

For now the inferior folks who aren't into the latest flavors or the coolest browser... well most of them are happy I'd say. They're getting a healthy share of dynamic webpage content, streaming media, and seamlessly integrated program usage with little more bother than starting up the computer and spending 15 seconds and a bit of RAM watching their security system load up and their desktop up there exactly how they like it.

Score: 0

By arevalomarlon

posted Aug 22, 2004 - 4:03 PM

Well Done!!! 100%%

Score: 0

By rijp

posted Aug 22, 2004 - 10:46 PM

Suck up

Score: 0

By GrievousX

posted Aug 22, 2004 - 11:35 AM

You're totally right. I agree 100%. Great post!

Score: 0

By bourgeoisdude

posted Aug 21, 2004 - 11:20 AM

While this is indeed a potential flaw in Internet Explorer, this has absolutely nothing to do with XP SP2, and it frustrates the !@#$%^ out of me when Microsoft haters try so hard to cut down their new products. This is a bug that affects IE 5, 5.5, and 6.0 as well, so this has NOTHING to do with a new 'flaw' in SP2--THIS IS INTERNET EXPLORER. Call it for what it is. Oh yeah, and FireFox doesn't have this flaw because it doesn't use ActiveX, but no one tries to break FireFox only because only 3% of computer users even know what it is, so please quit posting off topic advertisments for it.

Score: 0

By pplude92

posted Aug 21, 2004 - 11:34 AM

Fire Fox is a Mozilla Browser, but it SHOULD be more widely used, fast, efficent, and simple. Thats the ay to go. MOZILLA!!!

Score: 0

By Lotius

posted Aug 21, 2004 - 6:13 AM

I guess that just depends on where you're looking. From my experience with Fedora and Mandrake, to this day I still get notifications from both of them about various security flaws and updates they've released there are also a good many websites out there that are devoted to covering just linux issues. Betanews is a pretty well balanced site, sure it covers mostly windows related stuff, see the list of beta programs they list? Mostly windows software.

Score: 0

By ChadL

edited Aug 20, 2004 - 7:32 PM

If you are half worried about security, then you would use FireFox, so this really is not a problem for most people who are aware of security.

Like all the other problems, it requires a mistake on the users end (like no firewall, Internet Explorer, Opening E-Mail Attachments, Ect) in order to be of any real threat.

Score: 0

By Budgie29

edited Aug 20, 2004 - 7:19 PM

you only have to look at windows where ver1 was a bug in itself ,now it has bloated to (estimated) 350,000 bugs ,it is my reckoning that Microsoft’s next version of windows sp1 of longhorn (which name they actually give it) ,when it final realise .. (MS)Should seriously concentrate on bug fixing and not so much on improvements.and make the software smaller which requires less compting power (make it more efficant in how it in the way it works.
and not so much of the bloatware.

Score: 0

By rijp

posted Aug 22, 2004 - 10:49 PM

Well they already have accesss to a dictionary, you should use it, and quit abusing the english language.. that hurt my eyes to see such a lousy spelling.. Take your time take a deep breath, and type slower if you have problems with spelling, at the very least, proof read!

Score: 0

By zagman76

posted Aug 20, 2004 - 7:46 PM

never - because it's easier and cheaper to beta-test on the general public...

Score: 0

By compuoddity

posted Aug 24, 2004 - 3:47 PM

If you want to check bug count, check open source. Look, while I'm not a huge fan of M$, it's the way things are. And frankly, right now it provides me with an income, entertainment in the form of games, net, music, etc., and I really don't have to do all that much for it. Of course I use Linux, and of course I think it's great for what it is. And while the mom-and-pop restaurant may taste good, McDonald's is all over, is going to taste the same no matter where I go, and is going to be real quick to cower to my demands when necessary.

Score: 0

By Mark Gillespie

posted Aug 20, 2004 - 7:05 PM

Seems the press are having the fieldday, the 1st SP2 bug has been found.

Not once does it mention that it also affects XPSP1, XP, Windows 2000 etc....

It also fails to mention that Microsoft's crystal ball is broken, as they did not fix this one before Sp2 shipped... (even though it was only reported a few days ago).

Lets face it, although SP2 is considerably more secure than any OS gone before, it's gonna have security alerts, it's now a fact of life.

It's also worth noting, before the linux diehards have their go, Redhat has had 14 security alerts since the begining of August, none of which get a single mention..

I'm waiting for the Mozilla browsers to fall down as soon as the hackers target them, as they have had nowhere near the punishment that MS browsers get... There are MANY exploits to be discovered in there...

Score: 0

By bourgeoisdude

posted Aug 21, 2004 - 11:25 AM

"It also fails to mention that Microsoft's crystal ball is broken, as they did not fix this one before Sp2 shipped..."

Love it, man!

Score: 0

By sophist_dreams

edited Aug 21, 2004 - 7:29 PM

I hate to burst the bubble of all you Mozilla haters but the reason that hackers have not cracked FireFox or any of the other Mozilla browser builds is that they have no vulnerabilities built in...and the ones that are found are generally discoverd to be faults in Microsoft software. Perhaps this is because Mozilla projects are ongoing enterprises instead of the "this is the best we got and we arent developing anything new or innovative" attitude that pervades free Microsoft software, but whatever it is, to believe hackers have not targetd Mozilla is crap.......they just cant get in. Dont you think it would be quite a coup for a hacker to say he cracked Mozilla?

I do, however, agree this article is yellow journalism....the fault is not in XP SP2 (which I am now using), the fault is in Internet Explorer and should have been reported as such

Score: 0

By rijp

posted Aug 22, 2004 - 10:56 PM

OK, thats just plain stupid. No one uses Mozilla or Firefox enough *YET* to warranty scrutiny like IE. I suppose you think mercedes never are in the shop either, because they are perfect.. They are 60-80K cars.. very expensive, but they get maintenance just like any other car, you never hear about them, because people with money don't do it themselves, they hire people to take care of them. They don't care to hear about the problems, just that they are fixed so they don't have to deal with them. A small group of people that use Firefox or Mozilla, is just that SMALL. Once it gets big.. which may be a while.. it will get the same level of attention. If IT companies adopt Mozilla and Firefox you can bet your bottom dollar, they *WILL* find problems. Name one company that has replaced IE with Firefox or mozilla.. Fortune 500 company... You won't find any, because it hasn't been tested yet. Give us a product that is actually ready for prime time, and has been thoroughly tested.. until then, quit wasting our time. I use Firefox. Its nice.. But its lacking with no support for active X, so I have to toggle back and forth.

Score: 0

By fdickey

posted Aug 22, 2004 - 4:46 AM

Can't crack Mozilla? That sounds like the talk I keep hearing from the Linux folks that claim that Linux is hack proof, lol. Tell that to the people at a site I saw this week get hacked that is hosted on a Red Hat Linux server with Apache, ROFL. (URL available upon request)

Mac's don't crash, Dell servers are bullet proof and wireless networks with WEP encryption turned on are secure....LOL. All urban legends in my book.

Security is relative to the hacker. THERE IS NO SUCH THING AS HACK PROOF, only hack resistant. Any security "expert" would be willing to acknowledge this.

I like the analogy of hacking Microsoft is like shoplifting Walmart.

This is only the second news article I've seen where some "expert" security firm claims to have found some sort of critical flaw in SP2.
The last one said that there was this great earth shattering security flaw that if a user received and attachment, renamed it to a .exe or .com file and then executed it Microsoft should be blamed for the huge hole in their buggy software...OMG!!!

So if someone types Deltree *.* /y does that mean that they just found a new security flaw in SP2 and deserve some sort of award or does that mean they are a complete moron who deserves what they get?

I'm sure Microsoft's legal team is itching to send some certified letters to these "experts" and the media that repeats them for making such irresponsible announcements as I've seen lately. Heck, Homeland Security should also step in under the Patriot Act on this crap. Especially when these genius "experts" continue on in detail of how to utilize these "earth shattering" exploits. I mean, are all these "experts" ex-CNN empoyees from the Gulf War era? "If a terrorist was to do this, this and this it would be the biggest catastrophe mankind has ever seen...oh yeah and here's the exact positions of all our miltary troops and what they're doing at the moment for anyone paying attention". DUH.

Let's just start posting pages from the Anarchist's Cookbook onto billboards along the Interstates and say we are doing it to expose flaws in national security and see what happens. That's exactly what these "experts" are doing when they broadcast this crap about flaws in Windows through media accessible to just any moron out there in the general public.

All they are accomplishing is unneccessary exposure of potential vulnerabilities that may or may not be serious but are a lot more likely to become serious due to their irresponsibility. If I wanted to know about security flaws from XYZ security company because I trust their opinion, I would subscribe to their mailing list. I'm sure they would make every effort to insure that I'm not a cyber terrorist, since they are so concerned about security, before handing me kindergarden level instructions on how to manipulate vulnerabilties that they've discovered in the most widely used software on the planet.

Score: 0

By simonchretien

posted Aug 23, 2004 - 6:11 PM

Of course, linux systems can be as insecure as any microsoft product.
If they are configured by incompetent people or not kept up to date.

Score: 0

By rijp

posted Aug 22, 2004 - 11:03 PM

LOL Deltree *.* /Y. Dude you deserve an award for that one. Format *.*. FDISK... I am finding more and more security flaws.. all over my Command Prompt.. someone should report these.. LOL. That was funny, made my whole night.. Great stuff. Good point. Some reality at last! Where do these people come from..Yeah, I did a SYS of my floppy, it no longer boots.. oh, that's another security flaw.. access to the floppy.. we could be here all night. The next person that says they find holes in Microsoft.. i am sending them an etch-a-sketch for christmas, so they will quit complaining. Use it or don't but don't keep complaining about it.

Anyway, great post..I am saving a snap shot of this thread.. man that was funny.

Score: 0

By sophist_dreams

posted Aug 22, 2004 - 8:05 PM

To fd***ey,

I never said FireFox or any other Mozilla browser was hack proof..I simply said they didnt have any obvious vulnerabilites built in like so many of Microsoft products do (ie ActiveX). I also was trying to make the point that hackers have been trying to crack the Mozilla products but hadnt found a way to as of yet. Will they? who knows? But for right now you can keep IE, I will stick with Firefox, I like my computer the way it is tyvm.

Score: 0

By rijp

posted Aug 22, 2004 - 11:09 PM

Yeah, so what is obvious.. Ie doesn't have any obvious security holes either, dufus. Otherwise some company wouldn't have spent millions of dollars and thousands of hours trying to uncover it.. you spend enough time, and eventuall you will find holes in EVERY system, not just microsoft. its tought being the Richest man in the world, everyone wants a piece of his pie. Nobody wanted to contribute when he was just a drop out from harvard, but damned if they want a part of the profit from it.. Its amazing, the greed of some people. As one user pointed out, this is a way for yet another company to make a name for themselves, at Microsofts expense.. Just quit using MS products. ITs very simple. Use your linux, Mozilla, and Open Office. Quit using windows, MS Office, and IE. If you find it that much of a problem, cease using it. Because I am tired of hearing about so many products that are so much better. Fine, take your circle of 3 friends, and use it all you want, now maybe you will shut the hell up.

Score: 0

By bourgeoisdude

posted Aug 21, 2004 - 2:59 PM

Don't get me wrong. I don't hate Mozilla--I just use IE, as does most of the market. Heck, Mozilla may be (and probably is) 10 times better than IE, but ive used ie since version 2.0 and like most people I don't like to change if I don't have to. I just wish there were a way for other internet browsers to use ActiveX in a secure way as I love using Windowsupdates, officeupdates, online virus scans, etc.

Score: 0

By speedmeister

posted Aug 21, 2004 - 4:43 PM

You are right in saying that their are some legitimate uses for ActiveX. The problem is that too often most pages that use ActiveX have mischievous motives. I use Mozilla for my everyday use and Internet Explorer only when I need it. Having to open another browser for those occasions is less of an incovenience of having to deal with some of the worms and trojans that take advantage of the security issues of Internet Explorer.
Considering that most pages will work fine in Mozilla that aren't many disadvantages to using it as your everday browser.

Score: 0

By Planet.Of.Wounds

posted Aug 21, 2004 - 5:18 AM

I have to disagree Mark: it's not *cheap* journalism.

It's *biased* journalism, as it seems to be the rule whenever Microsoft is concerned.

The same bias doesn't apply to the rest of the competition, which is of course *perfect* and only lags behind MS in terms of market share because Bill Gates bullied 90% of the PC users so they buy his Oh-so badly designed products.

We're all terrified by Microsoft, and that's why we don't use the superb, safe and secure Firefox.
In fact, I shoudn't be writing this: as we all know, Microsoft is watching us. They're going to storm my place in aaaaaaa...

Score: 0

By Mark Gillespie

posted Aug 21, 2004 - 6:52 AM

How do you know that Firfox is secure? It has no track record...

It certainly has not been the focus of hackers, as it's been the minority browser. As more peope move to it, it's going to be targetted by hackers more and more, and I suspect it's going to be getting more and more security alerts. It COULD be even more insecure that Internet Explorer, we simply don't know...

Score: 0

By speedmeister

edited Aug 21, 2004 - 4:29 PM

"How do you know that Firfox is secure? It has no track record..."

No Track record? Firefox didn't just start by scratch 2 years. If you are familiar with the Mozilla Foundation you would know that most of the core code came from the Mozilla Suite which has been used for years. Millions of people have used Mozilla, Netscape, Galeon, K-meleon and other products that used the Gecko rendering engine.

There have been security bugs in Mozilla before but generally they have done a better job of fixing them in a timely fashion. The Mozilla foundation has shown themselves to treat security bugs more seriously then Microsoft.

In addition Internet Explorer has largely been abandoned by Microsoft. Not much has changed in Internet Explorer other than security fixes in the last 3 years. Someone looking for a browser that will be continued to be supported by the developers should give up on Internet Explorer.

Score: 0

By rijp

posted Aug 22, 2004 - 11:15 PM

So the updates that Netscape put out.. since 1.0 of the browser, what were those 100% product enhancements.. Bull Pucky. They were fixing security flaws..

Score: 0

By Planet.Of.Wounds

posted Aug 21, 2004 - 3:41 PM

Err, Mark, I totally agree with you. I was being sarcastic buddy...

Score: 0

By voltaire

posted Aug 21, 2004 - 8:49 AM

Well it does track record actually, So far to date in firefox's relativley short life there has already been two exploits found. Of course that wont stop me using it just yet. I love it. But it could be a worry if/when hackers turn the sights to firefox

Score: 0

By ambiancelover

edited Aug 22, 2004 - 3:04 PM

Well it seems everyone finds the flaws and keeps picking on the software makers.Maybe You should make your own software MARKET IT and PROTECT IT and yes Test It! You will find its probably not as easy as ALL of you think, while you sit in front of your monitor and criticize everyone. Others try to put a product out there but Nobody is perfect - let alone teams of ppl working on the projects!Dont think your HOLY'R than though as you sit back as armchair quarterbacks!

You ppl are amazing in knowledge but Excell mainly in SARCASM!

HERE"S your Sign!

Score: 0

By Domestic

posted Aug 24, 2004 - 1:12 PM

I have been using XP SP2 since it's Beta realease and now RTM. It performs like a champ for me with no known issues. In my many experiences with MSFT, I have found that if they are aware of a "problem" they will do their utmost to resolve the issue ASAP. Thanks for listening. (a very satisfied MSFT Client)

Score: 0

Nov 21 - 6:51 PM ET Coalition urges better laws for e-mail and cell phone privacy

Nov 21 - 6:42 PM ET How is Internet advertising faring in this bad economy?

Nov 21 - 6:15 PM ET From out of the Amazon Cloud, an AWS winner emerges

Nov 21 - 5:20 PM ET Mufin music finder enters public beta, adds widgets

Nov 21 - 5:01 PM ET Google launches its SearchWiki semantics plug-in

Nov 21 - 4:57 PM ET Asus previews a slimmer, less costly Eee PC

Nov 21 - 4:32 PM ET New Adobe Media Player ushers in AIR 1.5

Nov 21 - 2:11 PM ET AT&T to add Pantech's low-cost C630 phone to 3G lineup

Nov 21 - 1:11 PM ET iPhone gets firmware 2.2 update

Nov 21 - 11:51 AM ET The Dell surprise: Higher earnings on lower revenue