A new cumulative patch for Internet Explorer was released 2003-10-03. See the Technet article for details.
http://www.microsoft.com/technet/security/bulletin/MS03-040.asp
http://www.microsoft.com/technet/security/bulletin/MS03-040.asp
evildave
Unregistered
E
I like my "patch": Don't ever use IE.
They keep patching and patching, and still it's chock full of holes. It's all patch, by now.
They keep patching and patching, and still it's chock full of holes. It's all patch, by now.
Hand Bent Spoon
Unregistered
- Joined
- May 18, 2003
- Messages
- 378
^Just because you never hear about security problems with other browsers, doesn't mean they don't have them.
I will never understand why people criticise a software company for making improvements in its software's security.
I will never understand why people criticise a software company for making improvements in its software's security.
evildave
Unregistered
E
Microsoft: A software company that introduced us to an unnecessary and risky extenstion to their browser AFTER JAVE was made a standard.
ActiveX: The browser "plug-in" that lets it download and run native code provided by any old web site.
Brilliance!
All versions of Windows will let you replace a system .DLL by simply putting something with the same name in the search path for your application. Handy, if you want to get something nasty invoked when a certain kind of library is loaded. Such as by copying something into a file from "safe" script code and letting it get inadvertently invoked the next time your email client (or some other software) is run.
Sure, everyone is concentrating on Windows for viruses. There is absolutely no difference to Windows between a data file and a native executable image. Any process with any level of permission may "create" a file under Windows, and let it be invoked by an inadvertent reference as an executable image later, or with a quick "tweak" in the registry. Paradise for a virus writer.
Then it can start modifying other things "for you". After all, everything is given the user's implied consent under Windows.
It would be "way too much work" to provide a special mode for Windows to change what is installed, and register what is executable, and protect these critical things from any modifications outside of this mode. People who ship software might have to (gasp!) have a directory set aside for the executables while installing, or flag some files to be "executable ones" and test it.
ActiveX: The browser "plug-in" that lets it download and run native code provided by any old web site.
Brilliance!
All versions of Windows will let you replace a system .DLL by simply putting something with the same name in the search path for your application. Handy, if you want to get something nasty invoked when a certain kind of library is loaded. Such as by copying something into a file from "safe" script code and letting it get inadvertently invoked the next time your email client (or some other software) is run.
Sure, everyone is concentrating on Windows for viruses. There is absolutely no difference to Windows between a data file and a native executable image. Any process with any level of permission may "create" a file under Windows, and let it be invoked by an inadvertent reference as an executable image later, or with a quick "tweak" in the registry. Paradise for a virus writer.
Then it can start modifying other things "for you". After all, everything is given the user's implied consent under Windows.
It would be "way too much work" to provide a special mode for Windows to change what is installed, and register what is executable, and protect these critical things from any modifications outside of this mode. People who ship software might have to (gasp!) have a directory set aside for the executables while installing, or flag some files to be "executable ones" and test it.
Hand Bent Spoon said:
Compare the sheer number of security holes in IE to those in Mozilla. Not only are there many, many more holes in IE, they are of a much greater magnitude. Other browser makers had the sense not to run their browser in the OS space and to sandbox their plugins. Those are major design flaws with IE that Microsoft is showing no signs of fixing; they're just fixing the extreme flaws that allow people to exploit them.
Here's a list of all the Critical or higher bugs in Mozilla:
http://bugzilla.mozilla.org/buglist...ce&field0-0-0=noop&type0-0-0=noop&value0-0-0=
How many of those are of the "This bug allows an attacker to gain remote access to your system" type?
One more place to look. This is the list of known security holes in Mozilla that have been fixed. Compare these to the patches everyone has to DL for IE:
http://www.mozilla.org/projects/security/known-vulnerabilities.html
Note that most of these were fixed in 1.0 or 1.0.1. Some go up to 1.2. It's a far cry from Microsoft, who seems to have a new security patch for IE every week!
http://www.mozilla.org/projects/security/known-vulnerabilities.html
Note that most of these were fixed in 1.0 or 1.0.1. Some go up to 1.2. It's a far cry from Microsoft, who seems to have a new security patch for IE every week!
evildave
Unregistered
E
True - especially if you had the extreme lack of sense to leave "Active Desktop" enabled. Explorer is indeed "Internet Explorer" since Win95. That's why the whole desktop goes "kablooey" when IE hangs. The difference is, whether you expose the terrific preponderance of your security weaknesses to the world by USING IE to browse the web, or shut down/close off most of the internet services that "conveniently" allow Windows to screw you.
I do use Linux. Currently usually under a VMWare window under Windows for development purposes. One of these days, I'll just go the other way 'round. Perhaps when the new KDevelop is stable.
It just comes down to the games. I suppose I could arrange a multiple boot, so I could bring it up under native Windows only when I felt like killing some head crabs or undead or something.
After all, those native Linux distros have been getting a LOT better over the years, as has my ability to administer them. There's even a "Lindows" (linux for dummies) distro that acts pretty much like Windows for the "challenged" among us. The only difference: It's not a seething virus farm.
What with OpenOffice, there's not a lot of compelling reasons to fork over cash to Microsoft for anything.
I do use Linux. Currently usually under a VMWare window under Windows for development purposes. One of these days, I'll just go the other way 'round. Perhaps when the new KDevelop is stable.
It just comes down to the games. I suppose I could arrange a multiple boot, so I could bring it up under native Windows only when I felt like killing some head crabs or undead or something.
After all, those native Linux distros have been getting a LOT better over the years, as has my ability to administer them. There's even a "Lindows" (linux for dummies) distro that acts pretty much like Windows for the "challenged" among us. The only difference: It's not a seething virus farm.
What with OpenOffice, there's not a lot of compelling reasons to fork over cash to Microsoft for anything.
a_unique_person
Director of Hatcheries and Conditioning
Shouldn't this just be made a 'sticky' thread?
evildave
Unregistered
E
Which part?
"Arggh! IE Has blown up again and I can't use my computer!"
"Microsoft is Evil!"
"Microsoft is our greatest compassionate hero!"
"Windows versus Linux versus Unix versus Mac OsX versus...."
"Arggh! IE Has blown up again and I can't use my computer!"
"Microsoft is Evil!"
"Microsoft is our greatest compassionate hero!"
"Windows versus Linux versus Unix versus Mac OsX versus...."
a_unique_person
Director of Hatcheries and Conditioning
All of the above, but mainly the part about "New patch for IE available".
Wolverine
Centered and One
Thanks for the heads-up, Skeptoid.
Psi Baba
Homo Skepticalis
- Joined
- Aug 13, 2001
- Messages
- 4,027
Too true. This is from the new security bulletin:shanek said:
"This vulnerability affects computers that have Microsoft® Internet Explorer installed. (You do not have to be using Internet Explorer as your Web browser to be affected by this issue.)"