Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests.

Yeah right... next time someone at Microsoft sees something in some non-MS program, I'm sure they'll drop the developer a line to let them know how to improve their software.

Public humiliation is the only thing that keeps Microsoft from opening a bank and having MS-Money replace the U.S. treasury.

I'm sure the people who developed Netscape Navigator, Lotus 1,2,3 and Wordperfect report bugs in IE, Excel and Word directly to MS all the time, :)

Microsoft should have learned the lesson about "the people you screw on the way up being the same people who will laugh their a** off when you come crashing down"... nah, they never will.

You mean like I posted yesterday?
[webmasterworld.com...]
(post 12 since WW mungs URLs)

Just search for and delete "msdds.dll". Problem solved.
Better yet http://GetFirefox.com [GetFirefox.com]

Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly

I would say that sending out exploit details to a mailing list without notifying the company whose software is involved is irresponsible. It's not just Microsoft who suffers when malicious parties get exploit details first - it's the users who need to be considered, and letting MS know, out of the public eye, seems only right to me.

I agree that MS should have been informed first --there are some "standard" procedures for this kind of thing.

However, I have a minor problem with Microsoft's suggested workarounds.

It appears that setting the kill bit for the control pretty much solves the problem, and has no negative side effects (as opposed to some of the other workarounds). Sounds like a decent "solution" to me!

However, to set the kill bit for this control, you need to use the registry editor to create a key and a value. Now, *I* can do that (and perhaps most of the WebmasterWorld readers), but I'm sure there are *many* end users who can't. How hard would it have been for MS to provide a mini-program that does these steps for us?

I switched to firefox a few months ago - made a good choice for once.

I sure hope the wait for Longhorn is worth it and they take security a little more seriously in the next Windows release.

Mitigating Factors:

• The Microsoft DDS Library Shape Control (Msdds.dll) does not ship in Windows by default.

• Customers who do not have Msdds.dll on their systems are not affected by this vulnerability.

TIP - Run as a limited user in windows...

I do all of my surfing from a limited user account, except for a handful of known safe sites such as webmasterworld.

In windows, you are either an administrator or a limited user.

- Set up an new user account in the control panel for surfing. Make the account an administrator.
- Log onto the account and start firefox one time. (you need to be an admin the first time you run firefox in order for it to set up properly in the account)
- Log off of that account
- go to an admin user account and change the user you just set up to be a limited user.
- From then on, when you are browsing, switch to the limited user.

I've set a bunch of my clients up this way. It is a pain to switch back and forth but everyone who does this has been virusm adware and spyware free. I have a 10 year old who hits a bunch of kid sites and he hasn't been hit with any virii.

I realize you will never have 100% safety, but running as a limited user provides a huge safety net. The trick is that limited users cannot install software. If you update firefox, you have to do it as an admin and then run firefox on your surfing account as an admin one time.

Note that you must have at least one account on an xp machine that is an administrator so you can't switch the only account to a limited user, you need to set up at least one additional account.

Hope this helps

cg.

Yeah right... next time someone at Microsoft sees something in some non-MS program, I'm sure they'll drop the developer a line to let them know how to improve their software.

I have to disagree with you because I seen first hand this kind of irresponsibility towards reporting security problems with other web applications, and they complain about it as well. There is such a competitive race to find security problems with major applications, that many "bug hunters" are bypassing the application developers and reporting them strait to security tracker websites it order to be the first person credited.

Yeah right... next time someone at Microsoft sees something in some non-MS program, I'm sure they'll drop the developer a line to let them know how to improve their software.

They do - and more frequently than you would think. Microsoft recently sent bug reports to the team behind Samba, the open source reverse-engineering of MS network protocols for Linux machines.

Releasing the exploit code or details before a patch is available is totally irresponsible. Most legitimate security researchers inform the company and wait for the patch (which can sometimes take several months) before going public.

I've reported bugs to MS in the past and had no reply whatsoever. If you want MS to fix something, embarrassing them is just about the only way to do it.

I think it's worth underlining the fact that, once again, this is an ActiveX issue therefore IE is the only browser affected.

Kaled.

Thank god I use konqueror on Linux :)

(Or Mozilla in the case of WebmasterWorld as Konqueror doesnt work properly) :(

I think it's worth underlining the fact that, once again, this is an ActiveX issue therefore IE is the only browser affected.

And that's the best thing you can do for non-techy friends/relatives who can't/won't just use FireFox. Set IE up to run in "Ask me before running ActiveX" mode, and teach them to always say "no". When they hit a website that they *really* want to use that *really* doesn't work right without ActiveX, they can call you and ask if it's OK. I find this results in less of my time wasted then if they instead just call me when "my machine keeps rebooting itself" or "when I turn the computer on, it says 'C:\ - invalid drive'.

I think Any step to take down IE is a step in the right direction.

VIVA EL FIREFOX REVOLUTION!

We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests.

The company that charges people up to $700 to become certified to fix their products. They charge people money to fix their products, microsoft doesn't pay them to fix their products, or even certify them for free, it CHARGES them to fix their products. They don't just charge a little for bug filled office and O/S software, they charge a ton of money for software that other companies are giving away for 100% free.

A company driven by pure unrelentless greed at every filthy corner of it's existance is asking people to help keep their products running smoothly and bug free with 0% incentive. Cough up some cash you cheap %#!@*&%'s. How about you shell out a few measly bucks and start paying the people that have helped keep you in business for way to long. They don't even blink when asking people to shell out money to become certified, yet they try to make us feel like criminals if we don't fix their bug filled software for free. [insert string of profanity here]

twist, no matter what MS's business practices are, what do they have to do with millions of people having their computer infected with some worm or exploited via a Windows hole because some gung-ho, 15 year old moron HAS to be the first one to report it? It's almost like writing graffiti on a wall - just a way to advertise yourself at another's expense.

Jennifer

Firestone releases a shoddy product, anyone that has a problem with the product either gets their money back or sues them. Microsoft does the same thing, but a great PR department convinces everyone that it's their fault for not updating, their fault for not reporting their defects, and their fault for not buying into more security software. It seems to be everyone's fault but microsofts. If their products have defects, then they shouldn't be selling them. If they don't have the ability to deal with the defects then they should open the source and give it away for free. No where else but software can you get away with selling defective products and then blame the people using the product.

twist your analogy isn't exactally right... at least in my view.

the microsoft product is getting used/abused in a way which it wasn't intended, and so that makes it very easy for everyone to just pile it on microsoft.

if someone puts water in my gas tank which is easily doable because it comes off the car lot w/o a locking gas cap it's not the automobile manufacturers fault.

Tedster ..it would have been nice to think that they were trying like you said ..however only if your OS is in English ..

my post [webmasterworld.com...]

if someone puts water in my gas tank which is easily doable because it comes off the car lot w/o a locking gas cap it's not the automobile manufacturers fault.

Stant invented the locking gas cap in 1932 in response to gasoline theft problems during the Great Depression.

Some company called Stant figured out a way to stop gas theft and tampering and patented an idea that probably made them a lot of money. My point is, what incentive does microsoft give people who finds flaws in their software? None, they whine and cry and say, "thats not fair." Well why should people help microsoft, which already overcharges for it's shoddy products, build better products for them so they can make even more money.

In my opinion theres a lot of BS floating around the whole subject, if these bugs cost companies (supposedly) millions of dollars then shouldn't their be a million dollar reward for finding these bugs? I bet you none of these so-called hackers would be sharing their bug information with others because they might tell microsoft first and collect the million.

I can personally vouch for ...if you phone MS to tell them about a bug / fault / hole ..you get the "not now John we gotta get on with these" ..moving the product..toooo busy!
Giving a heads up to MS ...been there done , that ..with "mydoom a" ( I got one of the first iterations ..looked in the file and saw what were the intended targets in the OS )..took 'em 5 days to get back to me ..by then it was running all over the place ..wont ever waste my money on the transatlantic phone call again...

And I phoned them before they announced the reward ...!

I'm not a great fan of Microsoft, but when I take a deep breath and a big step back it's quite amazing that computers work at all.

Think about it: car manufacturers generally only have to contend with the way people use their standard product - the AVERAGE car driver doesn't completely reconfigure their vehicle before getting behind the wheel.

On the other hand, except in the most draconian locked-down corporate environments, I'd bet you'd be hard pressed to find any two PCs anywhere in the world that have exactly the same combination of hardware and software installed, in exactly the same sequence and in exactly the same place. Yet - by and large - computers work pretty well, despite the millions of different hardware and software permutations they have to cope with.

Some company called Stant figured out a way to stop gas theft and tampering and patented an idea that probably made them a lot of money.

So, to push the analogy a little further, the warm fuzzies experienced by alternative browser proponents is about the the same as not being subject to gasoline theft because you chose to drive a diesel.

They (the minor browsers, not the cars) are not inherently any more secure, they just are not popular enough to bother with.

If firefox gets popular enough, the attackers will just change gears. *my* experience with that line of browsers is that you can blow them up just by looking sideways at them.

They (the minor browsers, not the cars) are not inherently any more secure, they just are not popular enough to bother with.

This is an ActiveX vulnerability. Remind us please: which 'minor' browsers will this be a problem for?
[And which of the 'minor' operating systems?]

-B

However, to set the kill bit for this control, you need to use the registry editor to create a key and a value. Now, *I* can do that (and perhaps most of the WebmasterWorld readers), but I'm sure there are *many* end users who can't. How hard would it have been for MS to provide a mini-program that does these steps for us?

Not even a program is needed. If somebody exports this key and value to a .reg file, the work is done: the user only needs to double-click the .reg file and select "yes" when asked "Wish to add this info to windows registry?". Going further, not even the regedit is needed: if you know exactly which key and value must be set (and Microsoft does), then you may even use notepad to write the .reg file. But, did you really expect something efficient from Microsoft?. As time and experience has taught me, Microsoft knows how to do something beautiful and best-selling, but not efficient nor secure... even so, thats only an opinion :P

Greetings,
Herenvardö
Hating MS 4ever

1) Reliability is a prerequisite of any operating system.
2) Security is a prerequisite for the reliability of an operating system in a network environment. Therefore...
3) Security is a prerequisite for any operating system in a network environment.

Insofar as
1) Windows is sold for use in network environments
2) It is not secure
It follows that Windows is unfit for the purpose for which it is sold. In UK law, that means a refund is due. However, it also means that the computer will be without an O/S so that means moving to an alternative such as Linux.

I have never tried Linux, but I have to say that I am not keen to try any operating system that uses case-sensitive filenames. To me, this is such a blatantly stupid idea that I have to wonder what other diabolical atrocities I might find.

Kaled.

Not one of the fixes provided on their sites works for other than English language versions ..yet all their "other language security pages" point you to these "useless" patches ...

BTW ..most times you can write patch to import a reg key change in under 40kb ..even under 20kb like most virii or worms ..
These MS patches are nearly 600kb ...code bloat gone wild! ..or "obfuscating" ..lack of access to English version of the OS means letting the exploit happen on a non English version and comparing before and after reg shots ..then writing a working patch to import the value for each hole ..( and doing it seperately for each language ) surely MS should be doing that work and not lying about the efficacity of their own patches ..or expecting others to write the patches for them ...

Perhaps if it hadn't been so nescessary down the years to hack whatever 'doze one was running to keep it that way ..less people would have gone waltzing around the OS core and so fewer exploits would have been discovered by the malintentioned ..

Most of the "15 year old hackers" referred to in the media are actually just tweaking bots and virii and run sets that were discovered by older programmers ...the few youngsters who are talented coders having made a name for themselves are then snapped up by securty firms (once the courts have given them their suspended sentences )..and then work at incredible salaries anticipating which holes may be hit next ...

Thus there is the "fame" incentive coupled with the" money" incentive to hack MS ...( apart from the basic curiousity of "how does this work" combined with "how can I stop this peice of code bloated junk from crashing every 10 minutes" ...no good asking MS ..once you've paid out for the OS they don't want to know ..and letting every box assembler pre install their own hacked version of the source means they MS probably don't know themselves what precise config you started out with when you took the machine out of the box ..

Some assemblers even leave in log files that MS specifically demand be removed that give really detailed pointers to what fails to initiate or which will access what etc ..my first machine ( part of a series of 400,00 identical pre installed versions ) had over 2 megs of these confidential "must be removed files" sitting on it still fresh out of the box ...

Gold mine ...or source of much potential grief in the wrong hands ..

[edited by: Leosghost at 11:27 am (utc) on Aug. 20, 2005]

I have to say that I am not keen to try any operating system that uses case-sensitive filenames. To me, this is such a blatantly stupid idea that I have to wonder what other diabolical atrocities I might find.

Then again so do all nix servers ..and I'd hate to be on a server using MS...

but I have to say that I am not keen to try any operating system that uses case-sensitive filenames.

Without wading into the main thrust of your argument, observe that Mac OS X is based on BSD UNIX (with all the case-sensitive baggage that brings with it), yet integrates HFS+, which is a case-insensitive filing system. It works remarkably well. Most UNIX utilities assume case-sensitivity, but do not rely on it.

So, you can have a UNIX environment without a case-sensitive file-system if you so choose.