Home > Internet Explorer > Drag-and-drop flaw mars Microsoft’s latest update Drag-and-drop flaw mars Microsoft’s latest update Eugenia Loli 2004-08-20 Internet Explorer 85 Comments An independent researcher warned that an Internet Explorer vulnerability could turn drag-and-drop into drag-and-infect, even on computers updated with Microsoft’s latest security patch. About The Author Eugenia Loli Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker. Follow me on Twitter @EugeniaLoli 85 Comments 2004-08-20 9:57 pm Again, this seems like on of those useless flaws, like the ones posted earlier. I mean, if a user has to drag, drop etc a file, maybe even rename it, open cmd etc, then is it really a flaw? I could also just tell someone to execute “format c: /s/q” . 2004-08-20 9:57 pm ……..just wondering………. 2004-08-20 10:01 pm “Again, this seems like on of those useless flaws” Yes, because it is the same flaw… again… Maybe if someone else words it differently we can claim it again. 2004-08-20 10:20 pm these small deviations from intended design are to be expected from such a complex and advanved OS such as Windows is. consider all the many thousands of things it does as intended and does very well. developers are only human and programming languages allow some expressivity which unfortunately allows such “features”… but that is the balance we must accept – otherwise code will never be released. i think too many people are too ready to jump on windows. </insincerity> 2004-08-20 10:29 pm The greatest security flaw on any OS lays between the keyboard and the chair … However I must say that being able to execute arbitrary code from the Internet should not be that easy, at least another dialog should warn of the risks … pro-users will remove it, newbies will eventually learn and probably will removed it themselves … 2004-08-20 10:36 pm There we go again. MS zealots use the same excuse over and over. Face it, Windows is full of holes. Users don’t care what excuse you come up with. Take a look at MacOS X or OpenBSD. Both of them are a lot more secure than anything MS has published so far. 2004-08-20 10:45 pm Cut us some slack. Microsoft is attacked more because it is used by more people. MacOSX: Where do you get your info? From this? http://osvdb.org/searchdb.php?vendor=Apple OpenBSD: Where’s the Photoshop port? Doom3? Dreamweaver? 2004-08-20 10:49 pm Are you sure about that? It might be the soft- and hardware after all. http://www.osnews.com/comment.php?news_id=7804&offset=45&rows=60 *Insert Trusted Computing links here* 2004-08-20 11:11 pm Gah.. i’m gonna release my own story of this exploit and tell its brand new.. *returns sleeping* 2004-08-20 11:13 pm by exploit.. i didn’t meant it .. as stated higher: plz open “execute and type format” whatever… next exploit will be “plz throw your pc by the window and send us your money” oh well. 2004-08-20 11:24 pm ………. if Windows is used by more people (hence the more vulnerabilities) ……….. does that mean OS X will forever be secure (since there’s less ppl that use it) ? seems like a win to me. 2004-08-20 11:27 pm An independent researcher warned that a Windows vulnerability still allows to install Linux on top of a computer running Windows XP, in some cases overwriting all files and user settings, even on computers updated with Microsoft’s latest security patch. Microsoft said the issue did not pose a serious risk to users because it requires an attacker to trick people into accepting CD disks with Linux and taking some action at the computer. “Given the significant amount of user action required to execute an attack, Microsoft does not consider this to be a high risk for our corporate earnings,” a company representative said, adding that the software giant’s security experts are continuing to research the issue. 2004-08-20 11:41 pm Anonymous (IP: —.microsoft.com) HAHA I knew it, one the MS “fans” forgot their proxy…BUWhaaa. anyways… I think this has already been reported a couple of times. 2004-08-20 11:42 pm Microsoft is attacked more because it is used by more people. Can you explain IIS and Apache then? 2004-08-20 11:45 pm format… install Linux… Must it be said again? 2004-08-20 11:56 pm How people can consider that a “vulnerability” and put in every frontpage of every web…. See, SP2 rocks. It rocks because it “forces” software updates, it does cool things like showing you a prompt everytime a process opens a socket in listening mode (ie: a trojan trying to open a remote shell), it rocks because it warns about activex being insecure (yes this is a MS thing, but it is *good* that they start to say the true, activex blows), it uses the new features of the amd processors to break attempts to exploit buffer overflows, it enables the firewall always by default… in short: SP2 rocks. SP2 was not written to make bugs disappear, vulnerabilities WILL be found as in any software. The good thing is that this time you’re more protected, you’ll update your software and it will be more difficult to exploit by virus writers. SP2 rocks. 2004-08-21 12:06 am Any one who has been around a few years will remember that Microsoft has released many large service packs, all promising that THIS service pack will FIX all bugs and security problems with “insert name of Windows version here’. The truth is it wasn’t true then and it ain’t any more true now. Remember I said this. There WILL be several LARGE security exploits found with systems running XP with SP2 in the next year….count on it. 2004-08-21 12:10 am I found the exploit test link: http://www.richardharman.com/osvdb/8148-wattadrag/drag-and-drop-tes… On my system (XP Home, SP2(RC2?)) the exploit does not work at all… so much for that then… 2004-08-21 12:16 am Anonymous (IP: 205.206.160.—) HAHA I knew it, one the MS “fans” forgot their proxy…BUWhaaa. Wrong. Its a spoofed ip address. Microsoft members are not allowed to post on public web boards. Microsoft is attacked more because it is used by more people. Can you explain IIS and Apache then? I can! Not everyone runs a web server. We are talking desktops here. Duh. But if you want to be fair about it, why don’t you take a poll and see how many people are attacking apache web servers, then take a poll and see how many people are attacking IIS servers. I’m not talking about successful attacks, just the number of attacks. I think you will find since more people use apache they are being targeted the most. Time for you to run back to slashdot now. 2004-08-21 12:27 am >Microsoft is attacked more because it is used by more people. Can you explain IIS and Apache then? Sure – you don’t have hundreds of millions of clueless users running Linux boxes with Apache installed. format… install Linux… Must it be said again? Wow, is that the solution? In that case, I will format my hard drive and install Linux immediately. Thank you for helping me see the light!! Any one who has been around a few years will remember that Microsoft has released many large service packs, all promising that THIS service pack will FIX all bugs and security problems with “insert name of Windows version here’. Can you point me to a press release that says MS promises this will fix all bugs, security holes, etc. Any idiot would have to agree that it IS more secure than SP1 anyway. 2004-08-21 1:38 am > …why don’t you take a poll and see how many people are > attacking apache web servers, then take a poll and see how > many people are attacking IIS servers. I’m not talking about > successful attacks, just the number of attacks. Knowing the number of attempted attacks is a useless piece of information to use to determine the security of a given piece of software. The poll you describe needs to question the number of successfull attacks. 2004-08-21 1:43 am Its problems like this that keeps me from using Windows at home. I am a OS X user on my Macs and I also use MorphOS on my Pegasos II G4 system. While no OS is completly safe, OS X does offer a much safer system. Its unix based, tested and true. Even with that list of bugs. 2004-08-21 1:44 am I use several operating systems, including Windows and Be OS. I’d say a good nickname for this exploit might be “Drag and Drop Dead!” 2004-08-21 2:26 am format… install Linux… Must it be said again? In an exploit like this, where it involves a user following a list of commands in an e-mail; would any OS really be safe? A user that follows all of these commands on a Windows system would probably follow these commands on a Linux system: 1. If running Red Hat save attached .rpm file to a directory on your machine. 2. Double click .rpm file. 3. You will be asked to provide Password to install, enter password. 4. Enjoy! or 1. Save attached file 2. Open terminal window and cd directory to directory you saved the file in 3. type “su”, enter password at prompt 4. type chmod +ax filename 5. … It’s not like it’s the people that really know a lot about computers that fall for these exploits; it’s the same people that click “Yes” on any prompt that appears, people who just sit down to enjoy their computer, not wanting to know about it’s inner workings. I would think any OS couldn’t shield them from user initiated exploits. Now the auto execute Active-X flaws of Windows, that’s a different story. 2004-08-21 2:31 am http://www.nd.edu/~jsmith30/xul/test/spoof.html ’nuff said… 2004-08-21 3:14 am You said it well – from my experience, most apps required a root password in Linux before I could install them, so it seems to me it is possible that any kind of malware could be installed if the root password was given. 2004-08-21 3:31 am Wow, is that the solution? In that case, I will format my hard drive and install Linux immediately. Thank you for helping me see the light!! You are welcome. 2004-08-21 3:38 am Photoshop on *BSD? Hahah good one! You guys in the Pacific Northwest sure got a sense of humor :^) 2004-08-21 3:38 am Cut us some slack. Microsoft is attacked more because it is used by more people. We ought to change the latter in order to change the former! 2004-08-21 4:49 am @Darius Sure – you don’t have hundreds of millions of clueless users running Linux boxes with Apache installed. Oh right because Apache on works on Linux…..NOT! @TaterSalad OK! “On the Web server front, Microsoft was again the most popular target. Microsoft’s IIS (Internet Information Services), the software that was exploited to spread Code Red and Nimda, was attacked over 17 million times, Wong said. SecurityFocus customers running the open-source Web server Apache were attacked only 12,000 times, he said, meaning that IIS systems are “1,400 times more frequently attacked than Apache.” http://www.cnn.com/2002/TECH/internet/02/25/2002.security.idg/index… 2004-08-21 4:51 am on — only 2004-08-21 8:53 am “format… install Linux… Must it be said again?” I am sure there is a far better solution than that… 2004-08-21 9:08 am A bit of out of topic but this one really blew me away! http://www.nd.edu/~jsmith30/xul/test/spoof.html The bug that emulates the XUL interface. Just about anyone can be fooled if close attention is not paid. Are there any Mozilla/XUL developers around here that can comment that? 2004-08-21 9:27 am Most of the comments here are simply ridiculous. So someone discovered a new vulnerability in windows after SP2. While this may not be the worst vulnerability ever witnessed by mankind this is at least newsworthy. But instead of any kind of informed discussion on the subject what do we get? A bunch of windows zealots shouting bs. So we are informed that other OSs do also have security problems. *Gasp*, who would have thought that? Does that have anything to do with this news? No? And of course we are informed that windows is only so plagued by viruses and worms because it is so popular. While this does play a part it has been shown again and again and again that this is not the only source of the problem. As has been mentioned before just look at Apache and IIS to see that market share alone doesn’t directly translate into the number of security problems. But the funniest thing is that SP2 itself is the best proof that Windows XP had grave security problems and design flaws. After all this SP doesn’t just provide bug fixes but as MS themself claims a whole new approach to security. Of course if you so much dared to suggest that something like that was needed before SP2 was out you were an anti-MS zealot…. So please people get a grip you are neither doing yourself a favor with your behavior, nor the people who want to read this discussion, not the OS you prefer. 2004-08-21 10:16 am Well, I work with support/maintenance/programming for years now. What I can say is: there is no solution for the big problem we have between the chair and keyboard on some places. Firewalls, anti-(virus, spyware, malware, trojan, dialer, worm) will not stop some guys. 2004-08-21 11:43 am What SP2 does, for most of home users who run XP Home on Celerons: 1. Enables firewall; 2. Reminds that having antivirus with latest virus definitions is necessary; 3. Enables automatic patching, necessary evil for home users. SP2 itself is the best proof that Windows XP had grave security problems and design flaws See above. Of course if you so much dared to suggest that something like that was needed before SP2 was out you were an anti-MS zealot…. I must be biggest anti-MS zealot of all, then: to every happy owner of a new Windows computer I told the same three things, listed above. I also said repeatedly that Microsoft made a very, very big mistake not enabling firewall by default, when it released XP. not the OS you prefer. Yes, we do prefer Windows, and do not like to listen to bs about it, or to some Soviet style propaganda of how everything is much better if it is GPLed and Linux and OpenSource. Gosh, a hacker can hack Linux computer by sending it email with specially crafted image. A bug like that on Windows would very soon result in exploit and Linux zealots screaming about how inherently insecure Windows is. Where is exploit for Linux? It is simple to code, indeed, it is just buffer overflow type of exploits. Shouldn’t it be that desktop Linux is not targeted that often yet, hackers do not bother to abuse even the most critical bugs in it? Yeah, after these types of exploits a recommendation to “format and install Linux” is very much useful, indeed. Guys, enjoy YOUR Linux while it lasts. Keep it for yourself, it is not ready for dumb users targeted by bright hackers. Like UNIX before it, it is ready for bright admins only. 2004-08-21 12:10 pm “Yes, we do prefer Windows, and do not like to listen to bs about it, or to some Soviet style propaganda of how everything is much better if it is GPLed and Linux and OpenSource. ” Just like “we” don’t like to be accused of being communists for running GPLed, Linux and OpenSource. “Gosh, a hacker can hack Linux computer by sending it email with specially crafted image. A bug like that on Windows would very soon result in exploit and Linux zealots screaming about how inherently insecure Windows is.” Have never heard of that. Do you have any real info on that? Like say a link? “Guys, enjoy YOUR Linux while it lasts.” – Ohhh, I intend too, and it’ll last and last and last and last 😉 2004-08-21 12:16 pm Thanks for pointing out what SP2 does. I have it installed so I know what it does. Anyway, where does that counter the point I made? If you criticized XP before, good for you. Does that mean that there weren’t enough people out there that behaved the way I described? And you are right, SP2 certainly is a good thing but it also shows one of the greatest problems of XP, having a host of daemons listening to the world in the first place simply is bad design from a security point of view. And did I even mention Linux? Anyway, your claims about Linux’ lack of security are simply unfounded and ridiculous. Now before you mark me as an other linux zealot spouting out soviet style propaganda that doesn’t mean that linux is perfect. It isn’t, it’s just better imho. Btw. accusing people who have a different opinion and dare to voice it of soviet style propaganda is not the way people should discuss matters. Finally, pointing out that other OSs have security problems too is simply irrelevant. I mean, if there is a major Linux security flaw my reaction would be to patch my box asap not sit back and point out that windows does also have vulnerabilities. 2004-08-21 12:30 pm I am sorry you missed the counter point. Here it is: What SP2 does for home users is not a proof of Windows design flaws. It is a proof that badly chosen defaults could be a problem. Like, say, a version of other OS distro which was released around 2000 and, according to CTO of other OS distro company is hackable in 45 seconds if put on the Internet in its default configuration. What that other OS doing differently since then? Well, now it has firewall enabled by default! Is disabled by default firewall is design flaw in other OS? Sure not! having a host of daemons listening to the world in the first place simply is bad design from a security point of view. Well, then some other OS had a bad design. Yet, another OS lets name it OS X, was installed with firewall disabled. Is it design flaw? No, it is bad business decision from a security point of view. That is my point: do not mix design flaws with configuration settings. You are either confused or confuse others. A test: can you enable firewall in original XP? Yes, you can. So, it was there by design. No flaw in design. And did I even mention Linux? I’ll try not to mention it, too. Other OS is not a solution for these types of user problems. 2004-08-21 12:38 pm *Sigh* Yes it does show design flaws. If an incredible amount of ports are open and have services listening on them is not a design flaw when it comes to security then what is? And btw. having a firewall enabled by default is just a workaround not the sollution to this problem. Though once again it is a step in the right direction. And once again about your childish comments about as you call it other OS. Spreading Fud and acting childish doesn’t make problems windows had and has go away. Really, you can try it all you want, it won’t secure your box. 2004-08-21 12:52 pm I think the point is that most of us using Windows KNOW it has some serious design flaws when it comes to security, especially when it comes to IE. But why is it that people feel the need to point this out every fucking time an article is posted about Windows and security? You’ll get some nimrod on here going “Yeah, just format your hard drive and install Linux” .. well, I have two things to say about that … 1. I have said this repeatedly and it bares repeating here as well – some of us HAVE to use this OS for one reason or the another, so everytime you or one of your ilk comes along and screams from the rooftop about how insecure this OS is, it’s like a swift kick in the balls, and it beneifts NOBODY. So, can you please .. quit stating the obvious? I would LOVE to use an OS that is more secure by default, but I don’t have that option. Why? The answer to that question is off-topic, so I’m not going to go there (again). 2. It seems that the ultimate solution given to us is the reformat the hard drive and install Linux. Well, sorry … but many of us know how to secure our boxes and don’t have security ‘problems’ to begin with. For those that do, I really don’t see Linux as the be-all/end-all solution to this problem. Sure, it’s better than Windows in this area, but as long as Joe Sixpack is behind the wheel, not by much. See, there is this little thing called social engineering, which basically means you can get a lemming to do anything you want them to do, so I don’t imagine there is ANY OS that can withstand stupidity. If that were the case, the security flaws in Windows wouldn’t be nearly so apparent as they are now. I mean, if all these millions of people running Windows were even halfway computer literate, how many less viruses and worms do you think we’d have? Oh “but people shouldn’t have to be subjected to these kinds of problems” … yeah, ok … so you can go to their house and set up Linux for them 2004-08-21 1:06 pm It is evident that the reason the report abuse button isn’t working is that the site owner is trying to get hits up. Visits are down aprox. 29% over the last 3 months. You people posting in these flame throwing threads are a bunch of suckers. Doh. 2004-08-21 1:07 pm Don’t you think that it is a little unfair to attack me for something I never said? All I did was comment on this discussion here. And if you care to read the discussion you will find the most of the people chose to simply ignore problems windows has. How is pointing out that this is a dumb approach to say the least a bad thing? So please, if you criticize me then criticize what I wrote and not some childish comment by someone else. 2004-08-21 1:16 pm How is pointing out that this is a dumb approach to say the least a bad thing? Because it has been pointed out 20 million times already .. it’s been done to death. 2004-08-21 1:19 pm So the problem is not that discussion forums are full of people still following this approach but pointing out that it is dumb? 2004-08-21 2:52 pm “I found the exploit test link: http://www.richardharman.com/osvdb/8148-wattadrag/drag-and-drop-tes….. On my system (XP Home, SP2(RC2?)) the exploit does not work at all… so much for that then…” I tried that test with mozilla 1.7, firefox 0.9, opera 7.54, and finaly ie 6 after a install of sp2. Wut I got? Yah it never worked for me on none of the above listed browsers … Ol well ~~~ In either way despite all the issues Windows are to have and all the things I’ve dun with Windows I have never got a virus, been hacked, and the wutever you and a lot of other ppl talks of. So yah I agree the issue is the dude that set’s, lays, er however they may access their computers. In real all these years Windows XP has yet to even crash on me but wut I’m to know I’m a Windows user (also use Linux … when it works right sometimes lol) –Idoxash 2004-08-21 5:27 pm >OpenBSD: Where’s the Photoshop port? Doom3? Dreamweaver? LOL! So, Microsoft is less secure than OpenBSD because Photoshop and Dreamweaver run on it 2004-08-21 5:29 pm Yeah, and the past 2, 3 years i’ve seen frequently these articles that “security is #1 priority at Redmond”. I can’t agree with that when the following happens: Known vulnerabilities being known 150 days after which an exploit in the wild is released. Only after that a patch is made available. This happened various times with MSIE; hence i don’t see the security in MSIE being #1 priority. 2004-08-21 5:40 pm Microsoft is widely more insecure then its competitors. I do not think anyone really doubts that. (I have never met someone that did). Even though I heard microsoft is saying that there the most secure, but they probably do not even believe what they say. How is that news? Microsoft has the most bugs and security holes, and will for at least the next five years, and probably long after. 2004-08-21 6:36 pm “format… install Linux… Must it be said again?” I am sure there is a far better solution than that… Indeed. It is not necessary to format the Hard Drive to install Linux. Dual-booting is recommended for novice users. 2004-08-21 6:39 pm “Microsoft is widely more insecure then its competitors.” I agree MS has some issues. I’m less than sure they have enough competition from any combination of sources to consider anyone “competitors”. 2004-08-21 6:39 pm Gosh, a hacker can hack Linux computer by sending it email with specially crafted image. Care to provide a link? 2004-08-21 7:56 pm One thing that I hear a lot is the idea of “requiring root” being safer with Linux… sure, most certainly for servers. But for desktops? My main operating system is Linux (on all my desktops and laptops), yet I’d worry about a browser compromise, because everything I CARE about is accessible by my user account. Someone being malicious could erase everything in /home/joe, and it would require the same privs in which Firefox runs. I don’t care if someone breaks XFCE4, or screws up something else, as long as my /home partition is intact. I guess my point is that it doesn’t matter whether you’re root or not when you are concerned about the data owned by the user account. The stuff in the root partition can be rebuilt… the stuff in /home is priceless (in comparison). 2004-08-21 8:41 pm The problem is that most malware out in the wild these days does not target user files. Spammers and crackers seek access to your machine – they could care less about deleting your files. And if you’re so concerned about protecting your user files, just backup them to CD, or better yet to another user account, for which your common user does not have access. Heck, if you’re that worried about your files, back them up to a separate partition and unmount that partition (i.e /backup). There’ll be no way to get to them unless you re-mount that partition, something which only root can do. 2004-08-21 8:50 pm Good Lord, man. Work on your spelling and grammar. That was painful to read. 2004-08-21 9:13 pm Most of the people posting here have no knowledge of computer security, systems programming or anything… They are just both-side-zealots. Better just ignore them. 2004-08-21 10:27 pm “By Anonymous (IP: —.microsoft.com) – Posted on 2004-08-20 22:45:57 Cut us some slack. Microsoft is attacked more because it is used by more people.” Normally these attacks should prove to be in vain with a Microsoft effectively investing the money all those people pais for Windows into solid security. 2004-08-21 11:27 pm For users of XP SP2, in Internet Options –> Security Settings, there is an option for Binary and script behaviors, set this to disable or administrator approved and this highly critical flaw will no longer work while at the same time breaking no functionality (that I could tell). The http://www.malware.com/wottapoop.html proof-of-concept looks absolutely ridiculous. It is very very suspicious looking when I have this window hanging off out of my IE window and sometimes even being able to see the startup items icons in the background while loading the page or moving the window around. Anybody tried right clicking on the destination of that icon? I’d like to see the version of this exploit that secunia says is possible where all a user has to do is click on a link. I don’t believe that it is possible. Has anybody looked at the new Group Policy options that Microsoft has put into SP2 regarding Internet Explorer? Microsoft obviously does care about security because in SP2 the changes or additions regarding security policy are all over the place. All 57 people who commented on this forum know what and how to use Group Policy right? The single most beneficial feature in Windows? The power to control all aspects of Windows, easily? Does any other OS provide Group Policy like functions as seamlessly as Windows? Nope. 2004-08-22 12:02 am Many of you seem to overlook the fact that there have been NO vulnerabilities reported for IIS6, and no major ones for Windows 2003 in general. But then again, this is a bash Microsoft crowd, not give them credit where credit is due crowd. 2004-08-22 2:14 am “… the fact that there have been NO vulnerabilities reported for IIS6…” FUD. http://secunia.com/advisories/11563/ http://secunia.com/advisories/9334/ “… and no major ones for Windows 2003 in general …” More FUD. http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx http://www.securityfocus.com/bid/8522 http://www.securityfocus.com/bid/7788 http://www.securityfocus.com/bid/9624 2004-08-22 2:28 am If I recall reading elsewhere correctly, service pack 2 for XP does a major replacement of many core windows components, and even kernel changes. To me, that is more than a “service pack”, it is a new operating system. Imho, getting rid of active x, unhooking the web browser from the OS, and using Suns’ Java would solve quite a few security problems for Microsoft. 2004-08-22 2:57 am This is a Damn good point. 2004-08-22 2:58 am Let’s just face it. Windows is less secure than Linux and Mac OS X period. Windows has gotten better in the security and stability department for sure, but they are still not top dog. This new “Vulnerability” is bogus. I consider a real hole one that allows a virus to enter with little or no user intervention, which has happened many times before with MS. BTW, I do not look at SP2 as a God-send. Quite frankly, I rarely install updates from MS because of past experiences. I updated a lot of machines running Win 98, Win Me, & Win Xp at my workplace and I have noticed a performance hit, especially on Win 98. Installing updates screwed up my old computer and numerous ones at work to the point of needing a reformat. That is just wrong. And for your information my machine, running XP Home with Norton and some Anti-Spyware programs, is pretty darn secure. One virus (which was easily removed) and hardly no spyware for 3 years now, but I don’t visit Warez sites and download stuff I shouldnt, which has helped a lot. My 2 cents worth. 2004-08-22 3:03 am “… Has anybody looked at the new Group Policy options that Microsoft has put into SP2 regarding Internet Explorer? Microsoft obviously does care about security because in SP2 the changes or additions regarding security policy are all over the place. All 57 people who commented on this forum know what and how to use Group Policy right? The single most beneficial feature in Windows? The power to control all aspects of Windows, easily? Does any other OS provide Group Policy like functions as seamlessly as Windows? Nope. …” Group Policy is just a bad imitation of a real multiuser environment avaible in many UNIX implementations. Indeed, to make it work with Windows XP you have to use an ugly hack and most of the times it works partially. In the other hand, if MS is using ‘Group Policy’ to prevent bugs being exploited instead of managing users’s privilegies only is a symptom of a very poor security policy in their OS IMHO. 2004-08-22 3:34 am I’m not in IT, but I can definitely tell you’re speaking out of an orifice that is not your mouth. Group policy: http://www.microsoft.com/windows2000/techinfo/howitworks/management… Group policy has nothing to do with users/groups. This sort of thing is not necessary with Linux/Unix, since everything is configured in textfiles which can be updated by scripts. I’m sure it is arguable which situation is better to administer. Also, there’s nothing magical about UNIX as compared to Windows when handling multiple users; it’s just a matter of having a network-transparent windowing subsystem for a thin-client scenario. NT has always been able to handle applications running within multiple users contexts… what more is there to multi-user? 2004-08-22 3:52 am “Group Policy is just a bad imitation of a real multiuser environment avaible in many UNIX implementations. Indeed, to make it work with Windows XP you have to use an ugly hack and most of the times it works partially.” First of all, how the hell is Group Policy, the ability to centrally manage every aspect of the operating system AND its accompanying software, an imitation of ANYTHING that is on UNIX or Linux? There is no comparison between Group Policy/Active Directory and anything the competition can brew up. You may need to take another look at what exactly Group Policy is because it is heavily integrated into Windows 2000, XP, 2003. You don’t need to “make it work” by using an ugly hack, the “hack” is called the Group Policy Snap-In which comes with the 3 OS’s I just mentioned. Group Policy in an Active Directory environment will do as its supposed to 99% of the time from my experience. Benefits of having IE integrated in the OS? Policy management. Firefox and other browsers will never be used in a corporate environment because of its lack of manageability. One user installs firefox, 6 others use it with there respective accounts. The domain administrator (or home user with family members) cannot manage anything with those 7 users’ preferences. For example, not allowing it to cache passwords. With IE being integrated into the OS, it allows Microsoft to provide manageability via Group Policy so that one person controls ALL users regardless of there local privileges. “In the other hand, if MS is using ‘Group Policy’ to prevent bugs being exploited instead of managing user’s privileges only is a symptom of a very poor security policy in their OS IMHO.” Microsoft does not use group policy to prevent bugs from being exploited. Microsoft created group policies to let administrators manage their users effectively and seamlessly. Also, it’s not a bug, it’s a feature being taken advantage of. If Microsoft ever releases a patch for this drag and drop vulnerability, all they’ll do is disable the drag and drop capability and the “bug” is fixed. Absolute bottom line… IE is an administrators AND home users’ best friend because of its manageability customizability. And before anybody tries to tell me about how Firefox is sooo customizable, check out gpedit.msc and all its glory before replying. I have a feeling that everybody who bashes Microsoft and its products have no idea how to use or manage its products and take advantage of stuff the “normal” user never sees. I’m certain most haters here are just normal users that do not take the time to learn EVERYTHING about the OS. I know I don’t know EVERYTHING about Unix, but from my year and a half of working with it, I still think that it’s a very time consuming platform to manage compared to Windows. Last thing… I know Active Directory is just a Microsoft’izmed LDAP system right? LDAP can run on Linux and Unix? Where is an implementation of LDAP that is comparable to Active Directory? And please no text configurations either, there is a p lace for text configurations and policy management is not one of them. Gotta have a GUI to make things easy. Hardcore user of Microsoft products 4 life… Pleezbaleevit. 2004-08-22 3:58 am Using IE is like sleeping with a crack head who knowingly has aids and not using any kind f protection, its like walking through a minefield blind folded, its like jumping into a pit with a hundred rattlesnakes with no anti-venom. Use Netscape or Mozilla Firefox. It is about your best bet. 2004-08-22 1:56 pm Not really, if you know what you are doing IE can be plenty ‘secure’. And the reason I use it when I’m booted into windows i because it loads in less than 2 seconds. Firefox/mozilla cant say that. Bloody memory hogs 2004-08-22 3:05 pm “See, SP2 rocks. It rocks because it “forces” software updates, it does cool things like showing you a prompt everytime a process opens a socket in listening mode (ie: a trojan trying to open a remote shell), it rocks because it warns about activex being insecure (yes this is a MS thing, but it is *good* that they start to say the true, activex blows), it uses the new features of the amd processors to break attempts to exploit buffer overflows, it enables the firewall always by default…” So all a trojan has to do is find a way around the display dialog. Warning about activex being insecure is like a car company warning you that driving fast is dangerous, people don’t listen. What about intel processors? Applications can turn off the firewall. “in short: SP2 rocks. SP2 was not written to make bugs disappear, vulnerabilities WILL be found as in any software. The good thing is that this time you’re more protected, you’ll update your software and it will be more difficult to exploit by virus writers. SP2 rocks.” So Microsoft patched the dike instead of fixing the flaws. Yep, SP2 rocks like a bad punk song. 2004-08-22 5:09 pm Not really, if you know what you are doing IE can be plenty ‘secure’. And the reason I use it when I’m booted into windows i because it loads in less than 2 seconds. Firefox/mozilla cant say that. Bloody memory hogs —- ya if you know exactly how to patch it maybe but who wants to bet that the next security hole wont come up in a quarter. IE loads along with the operating system giving the *perception* of loading faster. my firefox browser loads in 3 seconds btw. i just timed it and memory resource utilisation with 43 tabs open on a 64 MB system running smoothly doesnt look like a resource hog at all. clear your cache if you want to really know 2004-08-22 5:35 pm And the reason I use it when I’m booted into windows i because it loads in less than 2 seconds. That’s because of pre-loading – i.e. it already loads when you startup your computer. KDE does the same thing with Konqueror – I just click on the icon and it pops up. Ironically, this means that it is in fact IE which is the memory hog, not Firefox, because IE uses that memory even if you’re not using it. Anyway, gotta agree with Roberto here (doesn’t happen that often 😉 if you use IE then you’re inviting trouble. Better security is worth a two-second lag in app loading. 2004-08-22 7:03 pm http://www.securityfocus.com/archive/1/370853 There was a buffer overflow in libpng a little while ago. That’s probably what he’s talking about. It supposedly allows for execution of arbitrary code, although that particular description doesn’t mention it. 2004-08-22 10:14 pm I hope I didn’t miss an example somewhere in the article, but let me get this straight. An external website can cause Windows to add an application to the startup by the user dragging an image across lines within the webpage? This happens without any kind of user confirmation or anything? If this is the case, that is an absolute oversight, and there is absolutely no excuse for that. If this only works on local on a local intranet, that might be excusable. Hell, even an experienced ‘secureity’ aware user would be fooled by such a case. I might well be fooled because I would have never guessed playing around draggin images within a webpage could do anything to my system. A website could make it into a game. Drag the images across some lines to solve some kind of puzzle. Maybe even a tic-tac-toe game. I just can’t imagine the code that would allow this. It almost seems like more effort to create this flaw. 2004-08-23 12:05 am It seems the advisory also notes that IE is vulnerable to some of the problems as well, so it might not have been such a good idea for Russian Guy to mention it to support his pro-MS, anti-Linux argument… 2004-08-23 1:59 am First of all, what I said was not FUD, perhaps you need to learn what the term means before using it. Secondly, the IIS6 ‘vulnerabilities’ are both very very minor, as if you follow simple server administration guidelines, ie do not use your server as a desktop system, then they do not effect you at all. As for the Win2003 vulnerabilities, the only really major one you listed was the RPC exploit, which, again, run your server correctly, with a bloody firewall, will not effect you at all, and the same goes for the others. Also, remember, that is all you came up with, these two products have been out for over a year, nearly a year and a half. 2004-08-23 1:49 pm between double clicking the file, which is easier then this method?? If you drag something onto the command prompt, you then have to press the enter key. It does not automatically execute, but adds the path and filename on the command line. More steps then double clicking the file. If that is all that can be found, I would say it is pretty tight. No different then dragging something onto Konsole. 2004-08-23 2:17 pm Get one news blurb about a Windows problem and it’s a flame war. The real problem is PEBCAK: Problem Exists Between Chair and Keyboard and there is no known patch. I don’t know about you all, but I don’t put all my faith in one company to make sure my Internet surfing is totally secure. I also don’t believe the Internet is a safe happy haven. It can be a frightening place wrought with peril and neer-do-wells who wish to break into your system because “they can”. I take a bunch of precautions but I know sometimes it may not be enough. That’s the risk you take going online. As seasoned computer veterans, we know that we need to have our systems secure and we do it. It’s the newer or “casual” computer user who never thinks of locking their machine down. The only way to fix this is by trying to teach these people how to use what they have. Telling them to “install Linux” or “Use Mozilla” is not teaching because down the road we know (and I’m sure even the most die-hard Linux fanatic knows but won’t admit it) hackers WILL focus on Linux when it becomes popular enough. Those newbie users who are now running Linux (after they were convinced to switch) will probably fall into the same or similar traps as Windows. Maybe instead of focusing all our power into bashing OS’s, maybe people should pool together and make some sort of PSA on computer use? It’d be more productive. 2004-08-23 2:31 pm and I’m sure even the most die-hard Linux fanatic knows but won’t admit it) hackers WILL focus on Linux when it becomes popular enough. Those newbie users who are now running Linux (after they were convinced to switch) will probably fall into the same or similar traps as Windows. ———- popularity argument again. explain apache vs IIS then 2004-08-23 4:00 pm IIS 6 is pretty darn secure… unless you’re browsing the web from your production webserver or running it with absolutely no firewall. Actually, even with IIS 5, most of the security issues revolved around poor defaults. I don’t understand why you don’t get it through your thick head that trojan horses affect users equally on either operating system, and there is no way to design a gun that will make it impossible to shoot yourself in the foot. 2004-08-23 4:34 pm Take a look at MacOS X or OpenBSD. Both of them are a lot more secure than anything MS has published so far. Ya, OpenBSD looks to be a pain to install, & maybe other stuff. Mac OSX, ok evryone who wants a secure OS should get a $500+ system instead of a free or $40-60 linux distro. 2004-08-23 9:59 pm Reading the trivial on this board reveals self professed security experts and programmers are pretty dumb, particularly the clown who couldn’t get the original vuln demo working, seems someone out there made an idiot proof one just for him Demo website: http://www.mikx.de/scrollbar/ 2004-08-23 9:59 pm hackers WILL focus on Linux when it becomes popular enough. Then Windows users should encourage others to switch to Linux, since that will take focus away from Windows and therefore increase its security… You’ll find that most Linux advocates don’t want their OS to dominate – they just want a diverse OS ecosystem. For some reasons, pro-MS posters here seem opposed to this. 2004-08-23 10:07 pm Ouch, that’s a pretty damning demo. I wonder how the diehard MS fans are going to spin this… 2004-08-23 10:14 pm There was talk that SP2 is supposed to have an improved firewall. Does anybody know if this is the case and in what way it’s improved? 2004-08-24 12:47 pm 1. type about:config in location bar 2. change values for dom.disable_window_open_feature.location, dom.disable_window_open_feature.menubar, dom.disable_window_open_feature.status, dom.disable_window_status_change to true.