Home > Internet Explorer > ‘High Risk’ Flaws Found in IE, Outlook‘High Risk’ Flaws Found in IE, Outlook Eugenia Loli 2005-04-01 Internet Explorer 53 CommentsMicrosoft engineers are investigating a pair of highly critical Windows product flaws reported by private security research outfit eEye Digital Security. About The Author Eugenia LoliEx-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.Follow me on Twitter @EugeniaLoli 53 Comments 2005-04-01 9:11 pm Well, at least FF/TB don’t have new problems as of now…Are these flaws in IE 64Bit too? With Windows XP 64bit now.Darn, real hard to find any drivers for it by the way… 2005-04-01 9:34 pm I see it’s time for the monthly high risk security scare for Internet Explorer. 2005-04-01 9:47 pm And don’t think about installing anything to protect you if you decide to go with WinXP x64 Edition. Nothing is available at the moment. Niet from AVG, Symantec, … 2005-04-01 9:49 pm Thats really good advice, I never use it myself but my wife’s surfing habits won’t let her use FF since it doesn’t work in her Chinese Sina sites, if I could understand the content I might be able to get FF to work but its some combination of multimedia dependancy hell that IE is all too good at exploiting and ofcourse making its settings incomprehensible.Now if I could get IE off, I could Windows off too and show her the wonders of BeOS or $OSX$. 2005-04-01 10:11 pm “laughed so hard I fell off of my chair with this one. Will this ever stop? No, I don’t think so. Maybe the April Fools joke is on anybody using MS products?”Only, maybe the joke is on you every day of the year… 2005-04-01 10:35 pm Err I use IE…no problems…well never had any problems…and I hope all security holes…poor code or not get fixed by M$…I am too lazy to leanr a new OS all over and one that is not as easy to use as XP and one that does not play any decent games…*leaves to go and get Splinter Cell Chaos Theory* 2005-04-01 10:41 pm And why exactly are you reading OSNews? 2005-04-01 10:55 pm that my employer has IE and Outlook as the prefered browser/email combination. I just don’t get it. Luckily they also install Netscape, so there is an option. If only I had privleges to install my own software (Firefox and Thunderbird). 2005-04-01 10:59 pm currently FF and other gecko based products have a problem in the jslibhttp://cubic.xfo.org.ru/firefox-bug/index.htmlhere you can see a small java-script which shows you 512 bytes of memory, actually its the memory from firefox(or other gecko based browser) and only from firefox.as the founder of this bug says it’s an error in the processing of regular expressions.(it was first posted on linux.org.ru – a russian site about linux) 2005-04-01 11:06 pm Yeah, well, it could be, but I like jokes no matter at who’s expense, even MINE!!!!There will be security flaws in just about any OS and software, but the thing HERE is the severity (implied) and length of time to repair these things. It seems as if MS just doesn’t care all that much.FF and Thunderbird and Linux all have problems too, but it seems as if none of them have actually been all that severe or caused that much damage. Even many of the IE and Windows flaws aren’t ever fully exploited, but the potential is there.I still think that it’s prudent for people to at least “think” about changing software, if not Operating Systems, as it just doesn’t seem like this MS thing will ever get any better…. 2005-04-01 11:43 pm I am not a “Windows admin”I consider myself only a “user” (a former user, rather), and so is my friend. 2005-04-01 11:47 pm And I suppose such things have never happened to you or to people you know. How smart! 2005-04-01 11:49 pm Yeah, again! 2005-04-01 11:57 pm The problem with Windows is also its advantage. It is made to please everyone. It is the lowest common denominator OS that is out there. Nothing wrong with that idea but their execution is flawed. Take a look at a Camry and Taurus. Both have the same goal but the Camry’s got better execution all around. Unfortuantely I do not think MacOSX or the highly fragmented cells of Linux will be able to compete with Windows. People will tolerate a lot to stay in their comfort zones. look at gas prices. 2005-04-02 12:12 am Why defend MS?MS = closed source that was originally (and still to this day) hacked together to provide features to customers not security.“According to security alert aggregator Secunia, more than 30 percent of the security holes found in IE remain unpatched.”“In one case, it took Microsoft six months to create and release a patch for a highly critical flaw reported by eEye.”OSS and Linux/UNIX/OSX… = constantly audited code to provide higher security on top of operating systems that are securely designed.It’s not about Windows vs Linux, it’s about protecting yourself. 2005-04-02 12:28 am I’m going to patent stupid computer <–> car analogies. Every idiot that uses it will owe me $699. I’ll be richer than Bill Gates! 2005-04-02 1:14 am I agree that zealots (Linux, MS, Apple, etc.) tend to notice problems with other systems, but not their own. However, I’m not so sure I’d jump on the number of patches as an argument to support my own position. You’re no doubt aware of (and probably sick of, or you wouldn’t have posted as you did) the arguments against this kind of thinking.But, what the hey, it doesn’t hurt to kick a dead horse. Linux is open for anyone to view, regardless of whether it’s Redhat or anyone else. Bugs are more likely to be noticed, whether they are critical or not. Redhat has to pump out the patches for noticed problems, because not doing so would be irresponsible. MS has the luxury of less eyes, and more control over the bug reporting situation.In addition, MS has ignored bugs they have deemed non-critical. Redhat cannot do this, for no better reason than there is competition in the Linux market, and doing so wouldn’t be the best PR move. MS has no such competition, as they are the sole provider of MS Windows. Not that MS is alone, Apple, Sun, and others all share the same advantage.Finally, not all patches are necessarily security risks. A lot of up2date patches are bugfixes to packages that simply don’t work quite as they should. While they are annoying, and add to the numbers game, it’s not exactly correct to include them, as MS offerings often do not include equivalents. In some cases, such things are not even offered, as they are instead pushed to later MS releases, because it gives the marketing folks something to trumpet as “new and improved”.So basically, it comes down to the user’s choice. If your sole concern is the number of updates or MB you download, MS is definitely your choice. However, if you’re more interested in keeping your system as secure and functional as possible, those indicators are all but irrelevant. Instead, you use your own experience and knowledge to determine what OS you use.Personally, my experience is based on the fact that I’ve never had a security breach with the Linux systems we use (in five years), the MS systems (servers and desktops) tend to have a mind of their own (even when they are “safe” they have stability problems), and once we’ve patched our test systems to ensure the patches don’t cause a problem, updating the rest is a relatively trivial matter.So, if you are on a metered internet connection (or dialup), MS’s low patch rate may be a factor, but otherwise, I’d rather have the “warm and fuzzy feeling” that patches are released without concern about some overrated PR numbers game. 2005-04-02 1:43 am Yeah! Again! 2005-04-02 1:51 am I’ve had great success using Thunderbird as a drop-in replacement for Outlook Express, but I’ve had friends & family reluctant to ditch Outlook because of the PIM features (calander, task list, events, etc) and because it integrates nicely with Pocket PCs. 2005-04-02 1:55 am Don’t the Mozilla people put out a seperate app for that?Oh, and to the guy who wants firefox at work, are you really that locked down? I’ve never had a problem installing it to the documents and settings folder on a regular user account. Maybe you oughta give that shot? 2005-04-02 1:57 am Yeah, I thought so, sunbird:http://www.mozilla.org/projects/calendar/sunbird_download.html 2005-04-02 2:28 am I really am not flaming here, but asking an honest question:I genuinely don’t understand why people would use a Microsoft product if they didn’t have to.With all of the quality problems Microsoft has–only so much can be forgiven for being Target #1–why take the chance and deal with the perpetual maintenance head aches.In the spirit of openness and to hopefully prove I hope to have a dialog rather than flame, I use two MS products.The first is Excel, which I think is MS’s best product. It is not perfect, has some moronic UI issues, but in general is the best out there.I also use Word, but because of the lock-in of the file format. When Pages gets to commercial quality–hopefully in a revision or two–I will dump word.But I honestly don’t understand why people use IE and Outlook when there are better, faster, and more secure alternatives out there.Have we entered an industry where it is simply “Microsoft by Default?” 2005-04-02 2:49 am Is the fact that this as always effects EVERY version of Windows ever created! Show how Microsoft rolls old code from version to version to version without fixing things!I am not a Linux freak but even with the problems in Firefox I am not seeing someone take over a Linux or mac OS X machine remotely from the internet through Firefox. Yes every OS has problems but problems in Firefox on linux does not affect Linux kernel problems and vice-versa. Yet on Windows an IE problems can affect everything! It’s crazy!The main mess here is that Microsoft always worries that people will stop using their products for Business applications way more then they care about security. They would rather make sure that applications still work because only 2 % of their customers a year leave MS because of security issues. Microsoft will always care about making money more then making people secure. 2005-04-02 3:05 am XMAN, your comment about gas prices is way off.Gas prices rise $.75 in a year, SUV sales drop 20%. To me, that’s not shocking.The computer industry is primed to make a similar shift. It’s started with third world nations that can’t afford the microsoft tax. This follows shortly by Europe which refuses to pay the microsoft tax. Where do you think Red Hat made all it’s money last quarter? 2005-04-02 3:11 am I keep an eye out for Debian fixes. On Debian Sid there have been about the same amount of fixes in megabytes (150). These are basically downloads of the entire program. Are they all for security fixes? No. Some of them were. Some were simply the normal upgrade to a new version.What sorts of updates have there been? Synaptic. It’s got a new look. KDE (I downloaded 3.4, technically from Experimental) has a few new features. W32codecs got an update, as well. So did OpenOffice.Here is a question: Which of these is a part of a Linux OS?Here is another question: For those packages that received security updates, what was the severity, and the length of time it took from bug report to fix?Still another question: How long will Microsoft take to fix these issues? Quoting Marc Maiffret of eEye: “Over the last two years, they’ve [Microsoft] gotten worse at releasing patches in a timely manner. When you take several months to release a patch for a very serious flaw, you leave your customers exposed. In Microsoft’s case, they have to do better.” 2005-04-02 4:32 am OSS and Linux/UNIX/OSX… = constantly audited code to provide higher security on top of operating systems that are securely designed.Right … and a million monkeys typing will eventually produce works of Shakespeare, eh? The fact of the matter is that NOBODY in the OSS community knows how much code is actually being “constantly audited.” If you doubt it, I can refer you to TONS of bugs in Linux and/or Linux-distributed apps/drivers. So much for your theory. 2005-04-02 4:50 am “If you doubt it, I can refer you to TONS of bugs in Linux and/or Linux-distributed apps/drivers.”Do it! I challenge you to do it.And in any case “Linux” is the kernel. Show me those “TONS of bugs” in the Linux kernel. “Linux-distributed apps/drivers.” doesn’t make any sense.And in any case that would be like making MS responsible for every bug in third party apps. 2005-04-02 5:47 am “If you doubt it, I can refer you to TONS of bugs in Linux and/or Linux-distributed apps/drivers.”First…Please do.Second…Why the anger?Do you not realize that there is no credible argument that favors MS regarding security in comparison to any other operating system? So, why are you so defensive?This is not about Linux vs Windows. It’s about understanding, and in particular, education in regards to Linux/UNIX security advantages because it’s relevant.If you doubt, please read and learn.http://www.usenix.org/http://www.openbsd.org/http://www.acm.org/http://www.bell-labs.com/history/unix/ 2005-04-02 6:23 am ————————————————————Microsoft officials say the complicated nature of testing patches for quality assurance is the reason for the delay, but Maiffret said he believes the problem is due to Microsoft’s insistence at running code audits for every reported vulnerability.“Whenever a vulnerability is privately reported, they do a code audit around the vulnerability to try to find other possible issues. That’s the real reason it takes so long to get a patch. No matter what, it’s unacceptable to take so long to fix something, especially when the risks are high,” he added.————————————————————–Well thats cute. Apparently the goal of security fixes, in the eyes of security analysts, should be to patch the problem correctly, but to patch it fast and sloppy so they can find more related errors to report. Then again most of the linux users are in love with the idea of “speed patching”… I guess its the mentality that if the OS is a commoditiy then the patches must be as well. 2005-04-02 7:02 am FireFox works(user since phoenix) 2005-04-02 7:27 am Well thats cute. Apparently the goal of security fixes, in the eyes of security analysts, should be to patch the problem correctly, but to patch it fast and sloppy so they can find more related errors to report.Well, nothing would keep Microsoft from releasing a quick fix first before investigating the problem as thoroughly as they can… 2005-04-02 8:53 am <quote>currently FF and other gecko based products have a problem in the jslibhttp://cubic.xfo.org.ru/firefox-bug/index.htmlhere you can see a small java-script which shows you 512 bytes of memory, actually its the memory from firefox(or other gecko based browser) and only from firefox.</quote>Shit… It actually works on Firefox 1.0.2 on WinXP. I visited that page, and after a few refreshes I managed to get the URL of a page that I was viewing in another tab! So much for Firefox security… I hope they’ll fix it soon. 2005-04-02 11:18 am The fact is I can point you to several sources saying that Microsoft software is good. This is not an OS War and if you really want to flame others you can go to the OS Wars forums. You cant call Microsoft software or OSS buggy or insecure. Definitely Microsoft is a larger target for hackers and the sort as 90 % of all computers have a version of Windows. Nothing against Linux but just speculation that “A” OS is better than “B” OS is very foolish of someone. 2005-04-02 12:11 pm So every paranoid webby should move to firefox again, because it is obvious FF is much more secure then IE?You know I’m being sarcastic, but I was thinking of an report from symantec last month. Where they stated IE was much more secure then FF on a 1 month based research. 2005-04-02 12:30 pm Well there is one thing you can count on when a MS security flaw is published here…the “Report Abuse” link is clicked much more frequently. 🙂Because Microsoft’s apps are SO integrated, fix a flaw in one spot likely opens another somewhere else. (After being a 15+ year user of MS products, I switched to Linux and have not regretted it for a moment.) 2005-04-02 12:33 pm I hate IE and havne’t used it in years, but I’m stuck with Outlook – not that I like using that either, but My mobile/cellular phone ONLY syncs with Outlook, and my PDA ONLy syncs with Outlook. Whilst I think there are better products out there (and certainly more secure ones) – people like us with multiple gadgets are stuck using the only piece of software that supports us 2005-04-02 12:51 pm “Every OS is coded by human developers. MS code is not better/worse than any other.”What kind of twisted logic is that? Just because software is written by humans and humans make mistakes there is no software that is better, more secure than other software?Wow, impressive reasoning, to say the least.That said, get over it people, MS doesn’t exactly have the best track record when it comes to security. Even MS admits that they have problems in this area and made false decisions in the past. So flat out denying that it is an issue does exactly one thing, paint you as a zealot, nothing more.On the other hand, the reactions of many people here that can be summed up with, LOL!!!!111 M$ suXors!!!11 isn’t very mature either, to put it mildly.And now flame on children. 2005-04-02 1:13 pm ralph (IP: —.dip.t-dialin.net) wrote:What kind of twisted logic is that? Just because software is written by humans and humans make mistakes there is no software that is better, more secure than other software?What kind of twisted logic you have?? It’s your misconception.. I didn’t write “because/that’s why”. I meant MS code is not better/worse than the others just because of coding. You are just another abuser. 2005-04-02 1:25 pm You cant call Microsoft software or OSS buggy or insecure. Definitely Microsoft is a larger target for hackers and the sort as 90 % of all computers have a version of Windows. Nothing against Linux but just speculation that “A” OS is better than “B” OS is very foolish of someone.This is not an excuse when you are working in big corporation where personal as well as financial data is stored. Apart from this there are trade secrets(decisions/tenders/aggrement) with potenial customers. If this gets expose, it cost dearer to the organisation. The point is ,just 90% of all computers have a version of Microsoft is not security problem, the main problem is how Microsoft potential looks at the security. 2005-04-02 1:41 pm So every paranoid webby should move to firefox again, because it is obvious FF is much more secure then IE? Yes.You know I’m being sarcastic, but I was thinking of an report from symantec last month. Where they stated IE was much more secure then FF on a 1 month based research.http://www.greatreporter.com/modules.php?name=News&file=article&sid… 2005-04-02 1:45 pm when will osnews move to an registration-based system?i’m sure it’d discourage most of the trolls here 2005-04-02 1:51 pm i think you can read the russian crap written on linux.org.ruthey have already fixed it, and there a new nightly version of firefox out firefox 1.0.3. 2005-04-02 3:59 pm “XMAN, your comment about gas prices is way off.Gas prices rise $.75 in a year, SUV sales drop 20%. To me, that’s not shocking.The computer industry is primed to make a similar shift. It’s started with third world nations that can’t afford the microsoft tax. This follows shortly by Europe which refuses to pay the microsoft tax. Where do you think Red Hat made all it’s money last quarter?”GasI remember that no more than 5 years ago you van get 87 octane for a $1. Going by your numbers it should be $4.75/gallon 87. If you are talking about the price of a barrel of oil thats different and wouldn’t know about that.LinuxI’m glad that RedHat had a profitable quarter but nothing stellar and nothing that the Street is excited about. Hardly a dent in the Microsoft armor and I am not a M$ funboy just being realistic. A basic rule in sales is that you cater to clients that have money and are willing to spend that money and Microsoft does it with business customers and Apple does it with consumers. With Linux you are catering to customers that have money but are not willing to shell it out or do not have the money and can’t shell it out.How do you think a company like Apple with tiny marketshare can have record breaking quarters in a recession when other companies on the PC side are going out of business yet cater to the larger 95%+ of the computer market?There are limits to where RedHat can go because of Linux’s fragmentation with everyone trying to have their own special version. Their needs to be some type of unification of standards in the Linux world on things like package management and GUI. These fights with KDE vs. Gnome as an example are pointless. Both look awful and are bad copies of Windows in my opinion. I’ve tried Linux on PowerPC and when I had a Duron system and came away unimpressed. Granted this was 2 years ago and I’ve been spoiled with MacOSX and it is unfair to go from one OS to a different one and expect them to be the same like some of these Windows users that say MacOSX sucks becuause they can’t find the Start button in thr dock.Microsoft SecurityIts funny. Thats all their is to it. 100X the software engineering resources of Apple and Linux combined and such a poor track record. 2005-04-02 4:36 pm Well, nothing would keep Microsoft from releasing a quick fix first before investigating the problem as thoroughly as they can… Of course then everyone would bitch that the patch broke things and/or created new security holes. 2005-04-02 6:25 pm Do it! I challenge you to do it.And in any case “Linux” is the kernel. Show me those “TONS of bugs” in the Linux kernel. “Linux-distributed apps/drivers.” doesn’t make any sense.And in any case that would be like making MS responsible for every bug in third party apps.Easy. http://securityfocus.com/bid/vendor/Select “Linux” under vendor. 14 kernel vulnerabilities in the past oh.. 5 days. 7 yesterday alone. 2005-04-02 6:33 pm i think you can read the russian crap written on linux.org.ruthey have already fixed it, and there a new nightly version of firefox out firefox 1.0.3.Until they release an official update (via the front page or automatic updates), it means little to the average user. In fact, it should mean little to even the geek. Why? Because nightlies are not a good idea to use. They are untested before they are compiled, and not guaranteed to work (in fact, mozilla says its not their problem if it doesnt work). Sure, on paper it looks good, that they patched it right away. But in reality, it’s still a crappy response if they don’t release an actual update to fix it this week. 2005-04-02 6:35 pm why does every IE topic turns to a firefox trolls topic? does you believe really firefox is a flawless browser? LOL 2005-04-02 11:34 pm “why does every IE topic turns to a firefox trolls topic? does you believe really firefox is a flawless browser? LOL”No…I don’t believe that Firefox is flawless…just better than IE. 2005-04-03 1:24 am I just wish the auto-update feature worked is all. Half the time you never even see the red icon when an update is available and what good is a red icon to Joe Schmoe who’s afraid to click on something he doesn’t understand?What Firefox needs is a dialogue that pops up informing the user there’s an update available and a simple button that performs the update automatically (doesn’t require you to go through a seperate installer). Also, the auto update needs to work well enough to inform people ON THE DAY IT IS RELEASED, not three weeks later (or not at all) like it currently does. 2005-04-03 2:34 pm does have quality, read consumer reports. Their 2004 Mustang was more reliable than most imports last year. 2005-04-03 7:27 pm “why does every IE topic turns to a firefox trolls topic? does you believe really firefox is a flawless browser? LOL”don’t you think you are the troll who is trying to start here an flame war ? 2005-04-04 3:37 am If only M$ fixed the semi-transparent PNG bug in its Internet Explorer!!!I want to use semitransparent PNGs in my web page without workarounds that sometimes do not work! 2005-04-04 1:55 pm User intervention required. Nothing new here.