Linked by Thom Holwerda on Mon 2nd Apr 2007 21:05 UTC, submitted by Dale Smoker
Windows Microsoft has decided to rush out a fix for a flaw in Windows, saying that the problem has become too serious to ignore. The flaw, which will be patched on Tuesday, was originally disclosed to Microsoft in December, but it was not publicly reported until last week. The bug lies in the way Windows processes .ani Animated Cursor files, which are used to create cartoon-like cursors in Windows.
Order by: Score:
Pure comedy
by Laurence on Mon 2nd Apr 2007 22:03 UTC
Laurence
Member since:
2007-03-26

I know any OS, with as wide target base and as many lines of code as Windows does, is vulnerable to attack. However this has to be, by far, the funniest securiety threat i've heard to date!

(At least Microsoft are going out of their way to correct this problem though.)

Edited 2007-04-02 22:04

Reply Score: 5

RE: Pure comedy
by TaterSalad on Mon 2nd Apr 2007 22:16 UTC in reply to "Pure comedy"
TaterSalad Member since:
2005-07-06

Is it funnier than leaving telnet open?

Reply Score: 3

RE[2]: Pure comedy
by archiesteel on Mon 2nd Apr 2007 22:45 UTC in reply to "RE: Pure comedy"
archiesteel Member since:
2005-07-02

Is it funnier than leaving telnet open?


Isn't that changing the subject?

Reply Score: 4

v RE[3]: Pure comedy
by CrazyDude0 on Tue 3rd Apr 2007 00:57 UTC in reply to "RE[2]: Pure comedy"
RE[4]: Pure comedy
by archiesteel on Tue 3rd Apr 2007 01:20 UTC in reply to "RE[3]: Pure comedy"
archiesteel Member since:
2005-07-02

That's not the point, CrazyDude (and yes, I have been critical of Linux *and* I've said nice things about Windows before).

The article is *not* about Linux/*nix. It's about a flaw in Windows. The fact that the OP tried to deflect criticism of Windows by changing the subject is what *you* should be concerned about. That's a logical fallacy, as you can find out for yourself.

At least be man enough to admit that Windows does have security flaws, and that this one is, by and large, quite embarassing. I mean, come on: an *animated cursor* being able to compromise the system?

Edited 2007-04-03 01:20

Reply Score: 5

RE: Pure comedy
by MollyC on Mon 2nd Apr 2007 22:52 UTC in reply to "Pure comedy"
MollyC Member since:
2006-07-04

"(At least Microsoft are going out of their way to correct this problem though.)"

They're going out of their way only because they sat on their behinds on this bug. This bug could've been patched in any of the Jan, Feb, or March updates, and there would've been no need for a rushed out-of-cycle patch. Atrocious decision making.

Edited 2007-04-02 22:53

Reply Score: 5

RE[2]: Pure comedy
by shykid on Tue 3rd Apr 2007 06:12 UTC in reply to "RE: Pure comedy"
shykid Member since:
2007-02-22

Seriously.

Considering they knew about this bug since December 2006, "rush out a fix" makes about as much sense as saying Windows Vista was rushed out.

Reply Score: 4

RE: Pure comedy
by deathshadow on Tue 3rd Apr 2007 02:51 UTC in reply to "Pure comedy"
deathshadow Member since:
2005-07-12

>> However this has to be, by far, the funniest
>> securiety threat i've heard to date!


Oh I don't know... the .jpg buffer overflow that effected EVERY operating system that used the reference code - meaning linux, MacOS and Windows - was a bit funnier IMHO.

I suspect this is something similar, where a programmer got lazy and didn't bother with range checking. I'm often amazed at how often programmers will try to save a few clocks by not bothering with making sure memory accesses don't go out of the expected range, especially on image decoders.

Reply Score: 1

RE: Pure comedy
by Darkelve on Tue 3rd Apr 2007 07:55 UTC in reply to "Pure comedy"
Darkelve Member since:
2006-02-06

"However this has to be, by far, the funniest securiety threat i've heard to date!"

How about a remote, hostile takeover of clippy? :o)

Edited 2007-04-03 07:55

Reply Score: 3

RE[2]: Pure comedy
by dylansmrjones on Tue 3rd Apr 2007 08:18 UTC in reply to "RE: Pure comedy"
dylansmrjones Member since:
2005-10-02

How about a remote, hostile takeover of clippy? :o)


Oh yeah, and use the control to kill clippy ;)

Reply Score: 2

I don't get it...
by the_trapper on Mon 2nd Apr 2007 22:30 UTC
the_trapper
Member since:
2005-07-07

How does a major security threat like this take almost 4 MONTHS to be patched? The largest, richest software company in the world can't manage to do something that a group of "volunteers" manages to do all the time?

I'm really beginning to think that Microsoft and many of the other commercial software companies just don't care. Vulnerabilities are fine, sh*t happens, but for f*ck sakes, patch them before they can be exploited!

Reply Score: 5

RE: I don't get it...
by DittoBox on Mon 2nd Apr 2007 22:43 UTC in reply to "I don't get it..."
DittoBox Member since:
2005-07-08

How does a major security threat like this take almost 4 MONTHS to be patched? The largest, richest software company in the world can't manage to do something that a group of "volunteers" manages to do all the time?


You just answered your own question.

One word: bureaucracy.

Reply Score: 5

RE: I don't get it...
by deathshadow on Tue 3rd Apr 2007 03:01 UTC in reply to "I don't get it..."
deathshadow Member since:
2005-07-12

>> How does a major security threat like this take
>> almost 4 MONTHS to be patched?


Probably because dozens if not hundreds of programs call the vulnerable part of the API, since cursor and icon handling is part of the base of most every program - fixing it is one thing, fixing it and making certain you don't break every application out there is something quite different.

ESPECIALLY when you can't expect everyone to just 'recompile' all the effected programs (a drawback of binary distribution) like you can in the open source world, or worse, because it's all binaries you get programmer trying to take 'shortcuts' for speed or just out of ignorance.

Remember, writing a program for linux takes actual skill and knowledge, while any twelve year old script kiddy can make a program in visual basic... and if MS broke those programs from this fix, you'd have a LOT more complaints than you would from waiting a few months to fix a vulnerability.

Especially with the number of 'corporate' programs that are written in VB, and as such the intellectual equivalents of what a 12 year old script kiddy could churn out in an hour. (and probably took the corporate programmer with multiple doctrates in computer science two weeks to get to the point of being functional)

Edited 2007-04-03 03:08

Reply Score: 3

RE[2]: I don't get it...
by lemur2 on Tue 3rd Apr 2007 03:23 UTC in reply to "RE: I don't get it..."
lemur2 Member since:
2007-02-17

{Remember, writing a program for linux takes actual skill and knowledge, while any twelve year old script kiddy can make a program in visual basic}

Your statement is unfortunately now out of date, since February this year.

http://reddevnews.com/features/article.aspx?editorialsid=708

"Mono enables Windows .NET developers to code in C# or VB.NET using Visual Studio and .NET 1.1 or 2.0 development technologies, and then compile and run .NET code base on multiple platforms, including Windows, Linux, Sun Solaris, Unix and Mac OS X. Mono supports multiple languages, and both open source and commercial compilers. In February, Mono released the Mono Visual Basic Compiler, which .NET developers can use to program in Visual Basic.NET. The new compiler is written in Visual Basic and is "self-hosting."

Reply Score: 1

RE[3]: I don't get it...
by deathshadow on Tue 3rd Apr 2007 03:31 UTC in reply to "RE[2]: I don't get it..."
deathshadow Member since:
2005-07-12

>> Your statement is unfortunately now out of date,
>> since February this year.


Which would mean something if most corporations aren't still maintaining applications written in VB5 and earlier - which means all that .NET stuff means exactly two things.

... and Jack left town, took his **** with him.

Ever been at a company where they expect you to maintain a decade old VB3 application, and when you suggest rebuilding it on a new platform run the risk of getting fired for daring to SUGGEST such a 'radical and dangerous change'?

Also worth mentioning that while mono lets you RUN .NET code, it doesn't have an equaivalent development environment for the *nix platform. Sorry, but Stetic is a tinker toy (even it's developers admit that).

As a certain MS executive said: "Developers, Developers, Developers, Developers, Developers, Developers, Developers, Developers, Developers, Developers, Developers, Developers, Developers!!!"

... and they don't care how stupid they are. Even with mono the entrance fee on the IQ meter is pretty damned high.

Edited 2007-04-03 03:38

Reply Score: 1

adapt Member since:
2005-07-06

Thats just a silly statement.

Reply Score: 1

Laurence Member since:
2007-03-26

This just shows how much BS is coming out of Redmond. MS has nothing over OSX period.


OSX is potentially just as insecure as Windows is, it's just less of a target because the number of OSX installs is vastly smaller than the number of systems running Windows.

Say, for example, if i was to compare the security of my house to Buckingham Palace. There's been far fewer attacks on my house than Buckingham Palace yet does that make my house more secure? Nope - it just means that Buckingham Palace is a bigger target.

OSX is like my house - it has it's flaws but it's not usually worth peoples time hacking it.

[edited - i should learn to proof read]

Edited 2007-04-02 23:03

Reply Score: 2

lemur2 Member since:
2007-02-17

{ Say, for example, if i was to compare the security of my house to Buckingham Palace. There's been far fewer attacks on my house than Buckingham Palace yet does that make my house more secure? Nope - it just means that Buckingham Palace is a bigger target. }

There are more black hats attacking Windows, more systems running Windows for people to attack, more vulnerable point in Windows to attack, and far, far more "tools" to use in attacks (eg existing viruses and other malware to modify to get past virus checkers) against Windows than is the case for either Mac or Linux.

Windows has: more attacks against it, more ways to be attacked, more points of weakness to attack, more people attacking it, and it presents a more attractive target to attack.

So, using which OS are you likely to be less secure?

Reply Score: 2

Laurence Member since:
2007-03-26

Windows has: more attacks against it, more ways to be attacked, more points of weakness to attack, more people attacking it, and it presents a more attractive target to attack.


Actually that's not technically true. If 'hackers' wanted to turn their attention to OSX then they could and I'm sure they would with great success (remember the guy who found a hole in OSX everyday for a month?)

Granted Windows code isn't always that secure, but then theres been loads (and I mean /LOADS/) of vulnerabilities found in OSX as well.

So as I said before, just because Windows is a bigger target, that doesn't make it less secure, it just makes it an obvious target. Saying OSX is secure because it's not an obvious target is no different to saying my house is safer than Buckingham Palace (with it's dedicated guards et al)

I just wish people would learn the distinction between 'whats the biggest target' and 'whats the most secure' because the two don't have to mean the same thing.

Reply Score: 2

lemur2 Member since:
2007-02-17

{So as I said before, just because Windows is a bigger target, that doesn't make it less secure, it just makes it an obvious target. }

I agree with that. Windows isn't less secure just because it is the bigger target, but rather the other way around. Windows is the bigger target because it is less secure.

{The reason I ask is because I bet if Ubuntu was used as commonly as Windows is now and Windows was the new comer, Ubuntu systems would be going down left right and centre because of the technically inept downloading "i love you" shell scripts.}

I very much doubt it. Windows security model is akin to ... "it is OK to run if it has an .exe extension".

Windows security model is after all set on a design path a la Windows 95 ... a single-user, non-networked OS, wherefrom the Win32 API was generated.

In Outlook, rather than fix the fundamentally broken security in Windows, whereby attachments on e-mails could just run without being given permissions, Outlook just effectively banned attachments.

After all, it is in a certain large software vendor's best interest if it can just run code on YOUR system without you giving your permission ...

Edited 2007-04-03 02:56

Reply Score: 1

Laurence Member since:
2007-03-26

{The reason I ask is because I bet if Ubuntu was used as commonly as Windows is now and Windows was the new comer, Ubuntu systems would be going down left right and centre because of the technically inept downloading "i love you" shell scripts.}

I very much doubt it. Windows security model is akin to ... "it is OK to run if it has an .exe extension".

Windows security model is after all set on a design path a la Windows 95 ... a single-user, non-networked OS, wherefrom the Win32 API was generated.

In Outlook, rather than fix the fundamentally broken security in Windows, whereby attachments on e-mails could just run without being given permissions, Outlook just effectively banned attachments.

After all, it is in a certain large software vendor's best interest if it can just run code on YOUR system without you giving your permission ...


That's really not the case any more. Windows is now built on NT technology and can be locked down against running applications for specific users (to use your example)

Reply Score: 1

Laurence Member since:
2007-03-26

There are more black hats attacking Windows, more systems running Windows for people to attack, more vulnerable point in Windows to attack, and far, far more "tools" to use in attacks (eg existing viruses and other malware to modify to get past virus checkers) against Windows than is the case for either Mac or Linux.


Also just to add:

Would you say the security of an OS was determind by the lowest IQ user or by the average learned user?

The reason I ask is because I bet if Ubuntu was used as commonly as Windows is now and Windows was the new comer, Ubuntu systems would be going down left right and centre because of the technically inept downloading "i love you" shell scripts.

Windows biggest problem is that it caters for the stupid so there for half the successful attacks on Windows are down to the users stupidety. Why doesn't this happy on Linux or OSX now? because the average user isn't that stupid. If they know what Linux or OSX are and specifically chosen that system for what it offers then that, in itself, requires a higher level of technical experience than your average Packard Bell customer (who basically buys their system for porn, word and excel) would care to learn.

I hate coming to Windows rescue in these forums because personally i'm not massively fond of Windows myself, but I think some of the comments made on here are as ignorant towards Windows as Windows fanboys are to OSX.

Reply Score: 1

larwilliams Member since:
2007-04-03

Hey!

We Linux fans love porn too.. just more into the ASCII variety ;)

Reply Score: 2

raver31 Member since:
2005-07-06

Windows biggest problem is that it caters for the stupid so there for half the successful attacks on Windows are down to the users stupidety. Why doesn't this happy on Linux or OSX now? because the average user isn't that stupid. If they know what Linux or OSX are and specifically chosen that system for what it offers then that, in itself, requires a higher level of technical experience than your average Packard Bell customer (who basically buys their system for porn, word and excel) would care to learn.


I take it from that statement you have no idea of the way the *nix security model actually works ?

I can set up a linux pc for joe user, let him browse porn/warez sites to he has had his fill, let him click on everything that pops up.... and his machine will still work.

Windows problems are not caused mostly by the user, but by very bad design.

Reply Score: 3

Laurence Member since:
2007-03-26

I take it from that statement you have no idea of the way the *nix security model actually works ?

I can set up a linux pc for joe user, let him browse porn/warez sites to he has had his fill, let him click on everything that pops up.... and his machine will still work.

Windows problems are not caused mostly by the user, but by very bad design.


I'm running about 3 different versions of *nix across 3 different systems right now - i know how they work.

The main reason Linux doesn't get attacked on porn sites is because it's not worth peoples time writing hacks for Linux systems when the vast majorety of platforms will be Windows. If you can trick a Joe User into downloading an VBS in Windows then you can trick them into downloading a shell script in Linux.

Don't get me wrong - i'm not saying ALL systems are equal. Far from it - i'm saying the problem with Windows is emphasised by it's user base.

You can build a stable secure Windows system and I have done just that with a Windows 2000 system with no crashes or successful attacks against it in 7 years (and yes - i have been on some very dodgy sites (etc) yet as I know how to set up a Windows system correctly I've been safe thus far)

Reply Score: 2

deathshadow Member since:
2005-07-12

>> If you can trick a Joe User into downloading an VBS
>> in Windows then you can trick them into downloading
>> a shell script in Linux.


and probably get them to type in their root password as well!

Though I don't know of any *nix programs that will download and attempt to execute files without your asking... something that is ALWAYS a problem with IE and Outlook.

Which is not so much the underlying operating system's fault, as it is that most users aren't smart enough to realize they shouldn't be using those in the first place.

As I tell my users all the time, if a page doesn't work in Opera or Firefox, or you are having trouble with a e-mail in M3/Thunderbird that's probably because it's trying to **** your computer.

Not always true, but true often enough to not be worth the risk - and no matter how many times you explain it that STILL doens't prevent them from doing stupid shit like visiting the same online game site in IE even after it's borked their windows install TWICE. (which is when you block the IP address at the router!)

Edited 2007-04-03 07:33

Reply Score: 1

Laurence Member since:
2007-03-26

>> If you can trick a Joe User into downloading an VBS
>> in Windows then you can trick them into downloading
>> a shell script in Linux.

and probably get them to type in their root password as well!

Though I don't know of any *nix programs that will download and attempt to execute files without your asking... something that is ALWAYS a problem with IE and Outlook.

Which is not so much the underlying operating system's fault, as it is that most users aren't smart enough to realize they shouldn't be using those in the first place.

As I tell my users all the time, if a page doesn't work in Opera or Firefox, or you are having trouble with a e-mail in M3/Thunderbird that's probably because it's trying to **** your computer.

Not always true, but true often enough to not be worth the risk - and no matter how many times you explain it that STILL doens't prevent them from doing stupid shit like visiting the same online game site in IE even after it's borked their windows install TWICE. (which is when you block the IP address at the router!)


Oh I couldn't agree more.

Ditching Outlook and IE is the 1st thing I advice people to do. It maybe an integral part of windows but it's just common sense that you use the best software available to you.

It's just like setting up an Apache server on *nix - you're not going to use an outdated version when there's a newer build around with a few security fixes.

Most Windows users lack common sense though - but then that's the desktop market Microsoft went for - the technically inept.

Reply Score: 1

raver31 Member since:
2005-07-06

I did not mean that to come across as a personal attack, I actually meant to highlight a part statement.

One of the major strengths of *nix over Windows, is that *nix can never covertly install and run programs the way Windows does.

If a piece of malware was on a website, and you visit that website, then the malware will fail install, as it does not have access priviliges.

Now, there might be a download that asks for root password, and users might give it.... that is a totally different thing. That is a compromise, not a vunerability.

The difference is that the user has to do something to let the attack work....

Reply Score: 3

Soulbender Member since:
2005-08-18

"I can set up a linux pc for joe user, let him browse porn/warez sites to he has had his fill, let him click on everything that pops up.... and his machine will still work."

Sure, but all his work, ie home directory, could be thrashed by remote code execution bugs. Remote code execution bugs could also start malware processes running as Joe User. Etc etc. Just because the machine itself can't be breached doesn't mean there can't be problems.
What good is a running machine to Joe when all his mp3's are gone?

Reply Score: 1

raver31 Member since:
2005-07-06

If you did manage to get malware onto a linux machine, and manged to get the user to give the root password, then of course you could get a script to run something like
rm -R -f /*

but what would that accomplish ?
you would ruin one machine.

Joe User would of course loose his mp3 and porno, but he should have backups anyway, they are HIS files after all... but then saying and doing are two different things...

now, back to the scenario...
you have managed to get your malware on a mcahine, excalated its rights to actually run,(with user assistance), and borked the machine....

end of story.
the malware has not been able to replicate or pass on to another, where you are going to have to start the whole process again.

now the next thing... remote code execution... hmmm on linux ? like to see that in action to be honest. I have heard it is possible theoretically, but I want to see it, and I want to see it elevate its rights....

Reply Score: 2

Soulbender Member since:
2005-08-18

"get a script to run something like
rm -R -f /*"

I said the user's homedir, not /.

"but he should have backups anyway, they are HIS files after all"

Because there are a lot of affordable 100Gb backup systems that Joe User can manage, right?

"you have managed to get your malware on a mcahine, excalated its rights to actually run,(with user assistance), and borked the machine...."

Malware does not need to escalate privs to run, it will run fine as Joe User. I don't know where this misconception that malware needs to be root come from but it's patently wrong. Malware don't care about your box, it cares about being able to comminucate with other malware and last time i checked (like 5 second ago) regular users can make outgoing connections and listen on local ports (above 1024). That's all a botnet need, for example.

The unix security model is great but this is not something it was designed to prevent.

Reply Score: 3

Soulbender Member since:
2005-08-18

"now the next thing... remote code execution... hmmm on linux ? like to see that in action to be honest."

Google is your friend

http://mail.nl.linux.org/xchat-announce/2004-04/msg00000.html
http://www.securityfocus.com/bid/22826
http://www.securityfocus.com/bid/19980

Reply Score: 1

Laurence Member since:
2007-03-26

{

If you did manage to get malware onto a linux machine, and manged to get the user to give the root password, then of course you could get a script to run something like
rm -R -f /*

but what would that accomplish ?
you would ruin one machine.

Joe User would of course loose his mp3 and porno, but he should have backups anyway, they are HIS files after all... but then saying and doing are two different things...
}

Exactly my point though - most of Windows successful attacks these days are worms, trojens, etc and are down to Windows users being too stupid to use their system correctly.


{
now, back to the scenario...
you have managed to get your malware on a mcahine, excalated its rights to actually run,(with user assistance), and borked the machine....

end of story.
the malware has not been able to replicate or pass on to another, where you are going to have to start the whole process again.
}

If a program has elivated its rights, then it's clearly got the power to self replicate. To say that malware on Linux with elivated rights only has the power to delete files is a little nieve i think. I could write a shell script tomorrow that replicated itself using echo commands, so clearly a more advanced program would have greater scope of malice.

[edit]

just so you don't get teh wrong idea - i'm by no means saying Windows is more secure than Linux!
Just that Windows /can/ be secure in the right hands.

Edited 2007-04-03 10:32

Reply Score: 1

archiesteel Member since:
2005-07-02

This is possible in theory. In practice, Linux malware is basically non-existent. There are less than 100 known viruses for Linux, and only two or three are known to be in the wild. As far as I know, none of these attack a user's files.

Contrast this to the 100,000+ pieces of malware available for Windows, which cost hundreds of millions each year, and you have a good portrait of how the situation really is.

So while you guys continue to elaborate your highly hypothetical scenarios, those of us concerned with the real world know that malware is a *grave* problem on Windows, while it is virtually *non-existent* in Linux.

Sure, but all his work, ie home directory, could be thrashed by remote code execution bugs.


Do you have concrete examples of this happening?

The fact that, in Linux, a file can't be made executable simply by giving it the right extension really helps make the OS more secure for "Joe User".

Reply Score: 3

Soulbender Member since:
2005-08-18

"So while you guys continue to elaborate your highly hypothetical scenarios, those of us concerned with the real world know that malware is a *grave* problem on Windows, while it is virtually *non-existent* in Linux."

I have never said this isn't he case. In fact, I agree that it is the case at this point in time but that's not what we are talking about. We're talking about what could happen if someone put their mind to it and/or if Linux was a viable target.

"Do you have concrete examples of this happening? "

The point is that it could happen, not that/if it has happened.

"The fact that, in Linux, a file can't be made executable simply by giving it the right extension really helps make the OS more secure for "Joe User"."

"chmod +x" isn't a lot harder than changing the file extension.

Reply Score: 2

archiesteel Member since:
2005-07-02

OSX is potentially just as insecure as Windows is, it's just less of a target because the number of OSX installs is vastly smaller than the number of systems running Windows.


Popularity is not the only reason. A popular OS with few attack vectors would be relatively safe. Some design decisions are also responsible for Windows' dismal security record over the past decade. Some of these are still in use today, such as the fact that you can make a file executable just by giving it the correct extension. The fact that IE and OE were so integrated into the OS has also been problematic over the years.

Claiming that the only reason Windows is insecure is because it has the largest installed base may seem like a reasonable claim, but once you start digging deeper you realize that this is far from being the whole truth.

Reply Score: 5

Laurence Member since:
2007-03-26

Claiming that the only reason Windows is insecure is because it has the largest installed base may seem like a reasonable claim, but once you start digging deeper you realize that this is far from being the whole truth.


I know the whole truth, in my less responsible days I used to be a hacker myself (curiousity rather than malision)
I just think Windows problems are exaggerated by it's user base.

As i said on other forums - once OSX gets more popular (which is happening with the rise of Apples profile) then you'll start to see more security alerts on OSX that rivel Windows.

Edited 2007-04-03 07:25

Reply Score: 1

casuto Member since:
2007-02-27

Firefox is not integrated with the OS, but Firefox is more vulnerable to this flaw because it uses the same Windows API to handle the cursors; instead, IE7 under Windows Vista is NOT at risk due Protected Mode.
So if a software is integrated into OS doesn't mean is unsafer than anether one, because all software can use the same libraries and API with or without integration. IE just uses the HTML/Internet libraries which come with the OS, but it runs with the the same user's privileges like another not integrated browser.
Integration makes no differences in security.
Why people doesn't complain about linux's Konquerror which is integrated in KDE as well Internet Explorer is integrated in Explorer?
Why people doesn't complain about Safari browser which is integrated with Mac OS X?
Why people doesn't complain about Thunderbird wich use the same Firefox gecko engine?
IE is not more integrated than other browser, IE is just a program which use HTML/Internet libraries included into OS like in every modern linux's distribution you have HTML/Internet libraries

Edited 2007-04-03 15:50

Reply Score: 1

Laurence Member since:
2007-03-26

{

Firefox is not integrated with the OS, but Firefox is more vulnerable to this flaw because it uses the same Windows API to handle the cursors; instead, IE7 under Windows Vista is NOT at risk due Protected Mode.
So if a software is integrated into OS doesn't mean is unsafer than anether one, because all software can use the same libraries and API with or without integration. IE just uses the HTML/Internet libraries which come with the OS, but it runs with the the same user's privileges like another not integrated browser.
Integration makes no differences in security.
Why people doesn't complain about linux's Konquerror which is integrated in KDE as well Internet Explorer is integrated in Explorer?
Why people doesn't complain about Safari browser which is integrated with Mac OS X?
Why people doesn't complain about Thunderbird wich use the same Firefox gecko engine?
IE is not more integrated than other browser, IE is just a program which use HTML/Internet libraries included into OS like in every modern linux's distribution you have HTML/Internet libraries


}


While I understand the point you're trying to make, you're not entirely accurate on several points there:

1stly: Though both Firefox and IE use the same APIs to render cursors, IE has vulnerabilities in the way it runs web pages and executes scripts on there. Vulnerabilities which are not present in firefox or Opera (though both Firefox and Opera have other vulnerabilities not present in IE). So it's the vulnerabilities in IE that expose windows rather than the fact that IE is integrated or not.

2ndly: According to the BBC news, it was announced that people who use Firefox and Opera would be safe from the attack. I can't verify the accuracy of this (seeming as I'm not prepared to compromise my own system just to run a test.) but one would hope that a bold claim like that on a national news site would be accurate. link: http://news.bbc.co.uk/1/hi/technology/6509865.stm

3rdly: IE /is/ more integrated into the Windows OS. While earlier versions of Windows (98 to be precise) was proven not to require IE despite MS's claims, I'd doubt that's still the case with 2000 and XP.

Edited 2007-04-03 16:14

Reply Score: 2

archiesteel Member since:
2005-07-02

Firefox is not integrated with the OS, but Firefox is more vulnerable to this flaw because it uses the same Windows API to handle the cursors


Note that in my last post I wasn't referring specifically to this new vulnerability, but to the long history of IE vulnerabilities over the past 10 years. Some of these vulnerabilities would *not* have been so critical if IE hadn't been so tightly integrated with the OS.

Why people doesn't complain about linux's Konquerror which is integrated in KDE as well Internet Explorer is integrated in Explorer?


KDE is just a Desktop Environment, it's not an actual OS. I do believe that IE is more integrated with the underlying Operating System than Konqueror is.

(Remember, at some point Microsoft claimed that they could not ship a version of Windows without IE, because it was a required component of the OS...)

Reply Score: 3

Laurence Member since:
2007-03-26

(Remember, at some point Microsoft claimed that they could not ship a version of Windows without IE, because it was a required component of the OS...)


Ah yes, I believe you're referring to this case:
http://en.wikipedia.org/wiki/United_States_v._Microsoft

Incidentally (and I don't know if this is reported in the cited article) a group of 'hackers' (i hate that term) managed to remove IE from Windows thus proving that Windows does not require IE to operate. This was several versions of the OS ago though and I wouldn't be at all surprised if IE is even deeper entwined into the core of the OS of the present versions of Windows

Reply Score: 1

n4cer Member since:
2005-07-06

Incidentally (and I don't know if this is reported in the cited article) a group of 'hackers' (i hate that term) managed to remove IE from Windows thus proving that Windows does not require IE to operate. This was several versions of the OS ago though and I wouldn't be at all surprised if IE is even deeper entwined into the core of the OS of the present versions of Windows


MS never claimed IE couldn't be removed from Windows. The claim was that it could not be removed without breaking several Windows systems and applications such as Windows' help system, and many third-party applications that used IE's components for their functionality.

Reply Score: 2

n4cer Member since:
2005-07-06

Also, IE has never been tied to the core of the OS. It's always been just an application. A few dlls provide the capabilities for rendering various formats and understanding various protocols. The IE people interact with simply provides the UI for these components, as do several third-party applications that host the components. It's no different that how applications use webkit or gecko for similar reasons.

Reply Score: 2

what happened to "from the ground up"
by jakesdad on Tue 3rd Apr 2007 00:26 UTC
jakesdad
Member since:
2005-12-28

It seems they are the student that just rearranges the words on the paper to make it look like a new report.

and so much for their "code audit"...

Reply Score: 3

As a former Back Hat
by dusanyu on Tue 3rd Apr 2007 01:10 UTC
dusanyu
Member since:
2006-01-21

(actually just a Chrious Poker at systems i could learn from)

I have to state that this statement that windows gets attacked more because there is more windows installs is bogus. Yes there are more computers running Windows and 99% of them are dull (why would anyone take the time to breach security on a system to look at photos of grandma's 90th birthday?) The Interesting computers run non windows platforms for example most high profile web-servers run on a Unix like OS, high security systems usauly run Trusted Solarus and we all know how banks love OS/2.

Personly I went for targets that I could learn something from and windows offered no educational value one could easily Warez a copy of NT 3 and install it on a 486 and learn Windows servers but getting ones hands on a Sun SPARCstation or a HP-UX Workstation was cost prohibitive.

I am not saying windows is a horrid desktop OS its just that windows boxen are BOREING!!! and as a result an unattractive target.

Reply Score: 3

RE: As a former Back Hat
by baad_to_The_bone on Tue 3rd Apr 2007 12:11 UTC in reply to "As a former Back Hat"
baad_to_The_bone Member since:
2006-02-08

I have to state that this statement that windows gets attacked more because there is more windows installs is bogus. Yes there are more computers running Windows and 99% of them are dull (why would anyone take the time to breach security on a system to look at photos of grandma's 90th birthday?)

(Emphasis mine.) They would take the time to hack gradma's PC to put stuff on it, not take stuff from it. Think about botnets.

Reply Score: 2

hollovoid
Member since:
2005-09-21

I remember not being able to drag n drop certain icons in x11 without crash after crash, every OS has had its embarassment, windows just gets publicity. I use Linux (gentoo) and MacOS X at work, and love them both, but there have been much simpler takedowns of both systems in the past,and windows has had its share as well, but if you measure the amount of people looking, compared to found the number is probably very simular. its like people think the colleges that hired the programmers for thier OS was different in some way, people make mistakes in every OS. But if nobody is watching them, does that make it not a vulnerability?

Reply Score: 2

Don't tun this into an OS flame war.
by mzilikazi on Tue 3rd Apr 2007 04:50 UTC
mzilikazi
Member since:
2006-02-11

Seems to me the problem here is that it took so long to fix the bug. That's it, that's all.
It isn't about Win VS.OSX VS. Linux
It's about how responsible Redmond is with their operating system.
It's about the seeming lack of concern over a serious bug.
It's about not doing anything until it becomes public. It's about Microsoft and their apparent lack of concern for their customers.
How exactly does this scenario come to be? Did someone in Redmond say "Aw heck no one knows about it yet why fix it now? We'll get to it next quarter."?
Microsoft cries foul when a vulnerability is released to the public before Microsoft has been made aware of its existence and yet when Microsoft is told about a serious flaw they do nothing because no one is yet exploting the code? What kind of policy is that? According to the article:
"Microsoft's patch has been in the works since security vendor Determina brought the flaw to Microsoft's attention late last year"
I don't understand how the security community is able to create not 1 but 2 patches for this before Microsoft can. It's not as if Microsoft doesn't have all the source code to work with. ;)

Edited 2007-04-03 04:52

Reply Score: 5

shykid Member since:
2007-02-22

Don't tun this into an OS flame war.

But I thought that's what OSNews was all about. ;)

Reply Score: 1

Marcellus Member since:
2005-08-26

I don't understand how the security community is able to create not 1 but 2 patches for this before Microsoft can. It's not as if Microsoft doesn't have all the source code to work with. ;)

1) Security community doesn't have to analyze the fault and check for same or similar problems in the rest of the source tree.
2) Security community doesn't have to run a gazillion of tests to make sure nothing else breaks after fixing this particular problem.
etc.

It's about not doing anything until it becomes public. It's about Microsoft and their apparent lack of concern for their customers.

It was already scheduled to be part of the April patch tuesday, but was rescheduled because it's in the wild.

In general, you don't speed out a patch with all possible haste if you don't have to.
Even various open source projects wouldn't speed out a patch unless it's critical that it gets released ASAP.

Reply Score: 3

Sick of the OS wars
by Laurence on Tue 3rd Apr 2007 07:43 UTC
Laurence
Member since:
2007-03-26

Anyway - i'm sick of these OS wars - most of the people who argue that Windows is sh*t don't use the system anyway and are likely never to side with MS even if they were on fire and Bill Gates had the last ever bottle of water.

The only use Windows because Linux doesn't run Cubase, but I've been more than happy with the Windows system I run. Equally I prefer to play around in BSD these days. It's just using the right environment for the right job.

Reply Score: 1

Windows-what
by Darkelve on Tue 3rd Apr 2007 07:53 UTC
Darkelve
Member since:
2006-02-06

Shouldn't they mention versions affected? Or is it the whole bunch?

Reply Score: 2

RE: Windows-what
by Laurence on Tue 3rd Apr 2007 08:45 UTC in reply to "Windows-what"
Laurence Member since:
2007-03-26

Shouldn't they mention versions affected? Or is it the whole bunch?


It affects Windows 2000, XP, Vista and Server 2003

Reply Score: 2

Re: Mouse Crack
by aGNUstic on Tue 3rd Apr 2007 16:53 UTC
aGNUstic
Member since:
2005-07-28

Weak OS + untrained user + animated mouse + porn site = $ to me to repair.

Reply Score: 0