New Phishing Flaw in Internet Explorer

Hey kids,

I just read this on Slashdot, thought I would share.

Quote:

---

Found at: http://it.slashdot.org/it/06/04/06/1718210.shtml
JimmyM writes "Secunia reports on a new vulnerability in Internet Explorer . From the piece: 'This can be exploited to spoof the address bar in a browser window showing web content from a malicious web site.' According to several (german) media outlets this is already being exploited by phishing sites. Secunia has a test you can try to see if you are vulnerable."

---

Maybe not a pressing issue, but interesting anyway!

-Deeboe

Strange, firefox throws up a different result each time for me - it will either just go straight to Google - and say google in the address bar - or it will go to secunia site - say google.com in the address bar for a second or two and then change to the correct URL and prompt me to D/L a .fla file.

What happens with y'all?

Fully patched IE with XP home (patched) is vulnerable



secunias web site warning

Quote:

---

Your browser is vulnerable if the Address Bar displays "http://www.google.com/".

---

and the address bar shows google :(

MLF

Debian Sarge with KDE 3.5 (from backports.com) and Mozilla Firefox 1.5.0.1 is not vulnerable. Hmmmm. :p

But then, we knew that. :rolleyes:

The url does look a bit off. A few %20 or %3 jumping in the bar but nothing to say its google or so.

The test worked in my fully patched IE (WinXP pro NL) but the netcraft toolbar did show it as SECUNIA..

So antiphishing tools prove their worth..

In answer to Nokia's question, I tried it with Firefox 1.07 and Win 2000 SP4 updated a few hours ago and it goes to Secunia every time.

:)

No probs with FF, but had to set the security level on IE to medium and mark prompt on the scripting options before it would go to the Secunia site....now I am okay.... ;)

my default settings in this box all browsers .including IE..went to secunia...

It is your security settings.. Just tested on a clean installed system with ALL patches applied BUT default security setting .. and yes ie failed the test..

my bar in firefox took me to yahoo and said res2res is not a registered protocol

I think it's funny everyone is trying Firefox. Secunia specifically states this is an IE exploit. I was mostly being a sh!t, poking fun at the IE zealots.

<soapbox>
Internet Explorer will always be a bigger risk for the unlearned home users who run everything as a priviledged account. Yes, Firefox and the other browsers are at risk too in that setting, but they don't suffer from the further fatal flaw of being embedded into the operating system.
</soapbox>

Seriously, I'm not trying to start an argument or another MS is [better|worse] than open source, and when properly configured IE seems to be just as secure as any other segregated application. But in it's default setting, which is how the majority of people use it, using IE is asking for trouble more so than any other browser.

though vulnerable, couldn't one see that the page changes (refreshes, redirects, any change)? Shouldn't one be suspicious of this, especially on a trusted page? when I tried the test on secunia, I could tell that the page was changed (not because of the content). Could this exploit be made to change faster or in a more subtle fashion? idk, I say the effectiveness of this exploit against a user with a good head on their shoulders is limited. Am I missing something?

Quote:

---

though vulnerable, couldn't one see that the page changes (refreshes, redirects, any change)? Shouldn't one be suspicious of this, especially on a trusted page? when I tried the test on secunia, I could tell that the page was changed (not because of the content). Could this exploit be made to change faster or in a more subtle fashion? idk, I say the effectiveness of this exploit against a user with a good head on their shoulders is limited. Am I missing something?

---

While this might be true to us, this doesn't hold water to the large majority of Internet users today. Click Click Click Click this is all they know. I say the users on the internet with a good head is limited.


/2 cents

Quote:

---

Originally posted here by zencoder
I think it's funny everyone is trying Firefox. Secunia specifically states this is an IE exploit. I was mostly being a sh!t, poking fun at the IE zealots.

<soapbox>
Internet Explorer will always be a bigger risk for the unlearned home users who run everything as a priviledged account. Yes, Firefox and the other browsers are at risk too in that setting, but they don't suffer from the further fatal flaw of being embedded into the operating system.
</soapbox>

Seriously, I'm not trying to start an argument or another MS is [better|worse] than open source, and when properly configured IE seems to be just as secure as any other segregated application. But in it's default setting, which is how the majority of people use it, using IE is asking for trouble more so than any other browser.

---

I was negged (by a retired member. Grow up and stop trolling...if you don't participate, your negative AP's really don't matter) for my closing statement.

I offer documentation to back my position.

Quote:

---

Originally posted here by zencoder
I was negged (by a retired member. Grow up and stop trolling...if you don't participate, your negative AP's really don't matter) for my closing statement.

I offer documentation to back my position.

---

From the document in the previous post:

Quote:

---

TO better understand the operating system's dependency on IE, iDefense Labs removed IE from a default installation of Windows XP. Decoupling the browser from any Windows version after 98 is a complex and poorly documented process. <snip>

The decoupling process was far from straightforward. It involved booting from a floppy disk and removing numerous Dynamic Link Library (DLL) and executable files. It is important to note that simply removing IE through the Add/Remove Applications program in the Control Panel merely removes shortcuts to the browser from the desktop and Start meny; it does not permanently remove any components of IE. snip

iDefense lab test show that the following features of Windows fail to work properly when IE is removed:

• Windows Update
• Device Manager
• Remote Assistance
• Help and Support
• All Troubleshooting Wizards
• Activate Windows
• Disk Defragmenter
• Disk Backup
• Program Compatibility Wizard
• Address Book
• Search For People
• Windows Media Player
• Windows Catalog
• Hearts and Spider Solitaire
• Internet Games

As shown, key functionality is broken when IE is removed. For example, some of these applications are critical to the security of the computer, such as Windows Update and the Device Manager. These applicatins may have failed because the DLL files that handle Web connectivity through IE were removed with the browser. Certain DLL files were restorded to see if this was indeed the case; however, this further distorted the desktop, dut did restore some functionality in select applications. This demonstrates the deep level of integration between IE and the operating system. Because os this, iDefense recommends that users not attempt to remove IE from Windows.

---

Stick that in your pipe and smoke it. And damnit, I'm more mad that I let you get to me, than the fact that you actually got to me. Stop trolling. No one (who is still here) is impressed by you.

Funny, this doesn't work when IE security is set on "high". :p It's a good thing I don't trust sites I don't own!

Quote:

---

But in it's default setting, which is how the majority of people use it, using IE is asking for trouble more so than any other browser.

---

I like to think that this site is about security, not a social problem... :D

I would like to think that as well. Unfortunately, the social problems are not always controlled by "security". We often have policy and EULA's to tell people what they CAN and CAN NOT do. Doesn't mean they WILL do it...au contrare, if you put up a sign "Stay off the grass" people show up with Footballs. :P

Hey Hey,

Zen... sometimes iDefense doesn't take the greatest approach...

They went in and deleted DLLs... let's think about this logically..

In Windows you have DLLs... Dynamic Link Libraries.. yada yada yada..
In *nix you have Libraries...

Let's say you compile software in *nix and dynamically link it to the library... What's going to happen if you turn around and delete the library that it's linked to and then try and run the software??? It won't run..

Just because software uses a DLL it doesn't mean that the DLL in question is actually part of the software... it could be a system DLL that the software is making calls against... (This matches with what catch said in another thread that IE just makes proper use of APIs documented in the MSDN)..

So IE is compiled and dynamically linked to the DLLs... (makes sense... the file size will be decreased).. iDefense decides to reverse engineer IE and get's a list of all DLLs that it makes calls against... they then boot off a floppy and delete these DLLs to they can "fully" remove IE... they've now removed system DLLs... other programs that call upon these libraries can no longer function...

There is software out there that will help you remove IE.... example: http://www.litepc.com. Could Microsoft make it easier to remove the browser??? Yes... but why should they... it's more work on their part for something seldom people would do... Every OS ships with a browser these days....
When I install SuSE I Get KDE and Konqurer (a file browser and web browser)
When I install Ubuntu I get Gnome and FireFox Chrome (1.07, which isn't updated via their auto update system to 1.5.0.2)
When I install OS X, I get Safari....

Everyone bundles their software... no one makes it overly easy to remove it... why add those extra steps... At least Microsoft has now provided a way to do the Windows Genuine Check with Firefox... I can remember when that wasn't possible... Just because IE's on your system doesn't mean you need to use it... it's your own choice to use it...

But as I said... iDefense prolly wiped out some standard DLLs and fubar'd their install..

Peace,
HT

btw... notice how if a new member had come back and posted because someone had negged them... we'd neg the newbie and give them enough warnings to scare them away from the site?... maybe we need to rethink things in one way or another..

Anybody ever tell you IE is evil, HT?

:(

Quote:

---

Originally posted here by brokencrow
Anybody ever tell you IE is evil, HT?

:(

---

Once again I see a useless post from you that leads me to question your IT abilities yet again... Why is IE evil??? Because users choose to run it in the default configuration??? That doesn't make the software evil... that makes the user stupid... but we've already had this discussion... and we know we're not going to get anywhere with it... Oracle went ahead and published exploit code on their website for their own vuln... it was a mistake but still.. they did it... Do you want to say that oracle is evil as well... I'm sure we could come up with plenty of other software as well... the latest firefox update fixed... I believe 7 vulns of varying degrees of severity... do we want to call firefox evil... IE had 10 and everyone makes a big deal.. but firefox had 7... what's that any different... 1 is bad.. more than that is just extra frosting..

Peace,
HT

Quote:

---

Why is IE evil??? Because users choose to run it in the default configuration?

---

No, because M$ chooses to ship it as such...

Quote:

---

Originally posted here by brokencrow
No, because M$ chooses to ship it as such...

---

Ok... so we've established you've got no IT knowledge and in addition no business knowledge.

Do you really think that it would make business sense to ship out XP locked down??? nope.. no one would buy it or use it... People want freedom.. not restrictions.... When you realize that come back and chat... I'll be more than happy to... but until then you're just being foolish.. .and I've got no need to waste my time.

Quote:

---

...and I've got no need to waste my time.

---

Uhhh...so that's why you replied? You're a hard guy to figure, HT. Then again, maybe not...

:confused:

Quote:

---

<soapbox>
Internet Explorer will always be a bigger risk for the unlearned home users who run everything as a priviledged account. Yes, Firefox and the other browsers are at risk too in that setting, but they don't suffer from the further fatal flaw of being embedded into the operating system.
</soapbox>

Seriously, I'm not trying to start an argument or another MS is [better|worse] than open source, and when properly configured IE seems to be just as secure as any other segregated application. But in it's default setting, which is how the majority of people use it, using IE is asking for trouble more so than any other browser.

---

zencoder, being new to security, and i will ask our network administrators, but i was wondering, how do we actually better secure IE? :confused: do i go to Tools->Internet Options->Security and change the setting there? or is it through patching, or both? i won't touch, just wanted to know, and again i will contact our tech support on this and ask, just thought i would ask here as well.

also did MS release something to fix this issue, should we go to something else in the meantime? :eek:

i just saw the MS security site, i suppose one of many, and not surprisingly, MS has their hands full and they are doing a lot! http://www.microsoft.com/security/default.mspx

hrmm, i am betting the linux and the new mac os will be experiencing the same type of thing as they grow in popularity; probably nothing new to you all, i just realized this.

looks like some good reading out there. deeboe, thank you for posting this! :D

Hey -

Yes, increasing the security level for the internet zone will lower the functionality of IE. This will reduce the number of threats against it. Patching will mitigate known vulnerabilities. If you can do your surfing under a user account, then the level of exploitation possible through the browser will be greatly limited as well.

Quote:

---

Originally posted here by Guan-Di
zencoder, being new to security, and i will ask our network administrators, but i was wondering, how do we actually better secure IE? :confused: do i go to Tools->Internet Options->Security and change the setting there? or is it through patching, or both? i won't touch, just wanted to know, and again i will contact our tech support on this and ask, just thought i would ask here as well.

also did MS release something to fix this issue, should we go to something else in the meantime? :eek:

i just saw the MS security site, i suppose one of many, and not surprisingly, MS has their hands full and they are doing a lot! http://www.microsoft.com/security/default.mspx

hrmm, i am betting the linux and the new mac os will be experiencing the same type of thing as they grow in popularity; probably nothing new to you all, i just realized this.

looks like some good reading out there. deeboe, thank you for posting this! :D

---

*sigh* HTRegz, don't bother with him.. since I'm less knowledgeable than anyone in IT, let me handle this.. :D

brokencrow: Imagine having two people, each with their own machine. Now, hypothetically.. one has a WinXP machine and the other has a Red Hat 9.0 or insert*nixdistrohere. Alright, now.. Mr. WinXP follows typical security practices.. downloads patches for ALL his software and his OS.. updates A/V and A/V signatures.. configures a firewall with set rules and permissions.. all around, secures his box in each way that he could. On the other hand, Mr. *nixdistro does NOTHING. Never updates any software, never checks the OS distributers site or whatever for patches, updates, etc.. NOTHING.

With that in mind, which machine would probably and most likely have less attacks against them be performed successful? Better yet, which machine would run more efficiently altogether? If you still say the *nix one, you have problems..

Just a little comparison to help you understand what HTRegz tried to tell you. It's not always the software that makes the security of it (actually, change not always to never). It's the security around the software (set by the user) that makes the software.

Hypotheticals are great and all, but let's talk reality.

Mr. XP very often follows no security practices. He'll update Windows automatically sometimes, if they've got SP2. Sometimes not. He'll update their AV if it's automatic, but often it's not. Then there's the fact Mr. XP is using the most attacked OS on the market. So there's a constant barrage of new viruses, many of which his AV won't handle. Then there's spyware, the newest setting their hooks deep into the OS via rootkits. Now Mr. XP loves the fact he can so easily install software, he doesn't even need a password or anything. And so do rogue programmers. And poor Mr. XP, using a web browser chocked with ActiveX, has software installed for him all the time, unbeknownst to him. So in the end, Mr. XP has a slow computer, running God-knows-what, with no clue what to do but go and buy a new one (what a great business model).

Now Mr. Ubuntu on the other hand (or Mr. Suse or Mr. Apple) are using OS's for which few viruses are written. OS's for which spyware is almost non-existent. Wasn't it only just this year the very first trojan (a rather toothless trojan at that) was written for Apple's OS? And how many years have trojans been written for Windows? All these OS's come with default security settings just like Windows. They come with firewalls. They come with AV if you want it (of course, this isn't such a concern for Mr. Ubuntu or Mr. Apple). They have update features similar to Windows. Mr. Ubuntu can rather easily install software as long as he remembers his password. Same for Mr. Apple and Mr. Suse. They can't just willy-nilly install apps on their PC's as mindlessly as Mr. XP, which is probably good (unless of course your in the mindless software business!). And Mr. Ubuntu is running a modular OS that makes it tougher to get rogue apps like spyware to reach to the kernel, unlike poor Mr. XP, who's using a web browser which when compromised takes viruses and spyware right to the Windows kernel.

I'm reminded of a commercial real estate appraiser who migrated his office to Apples after shucking Windows. Now his computers are never slowed by spyware. His risk of viruses is much lower than with Windows. Since there's a dearth of apps for Apple, he's got less worries about employees throwing any old app on his computers. And he's never looked back.

Now, what were you saying?

brokencow are we to understand that as a refutation to what you call hypotheticals you have replied with a hypothetical argument claiming that for environments at the lowest level of maturity that security by obscurity is the best choice?

in light of this you cannot be wondering why an increasing number of users have claimed no faith in your information technology knowledge. because i agree with these users i will not spend the time required to correct your post.

i do hope that some day you can come back to your post and ponder how far you have come.

I'm pondering what you find so hypothetical in my last. And where did you get this: "...security by obscurity is the best choice"?

I never said any such thing nor did I infer it. My point was simply that the Linux systems I've run have 1) OS update features built in to them, just like Windows, 2) have full AV capabilities, 3) have a more secure installation routine (password required), 4) are much less targeted by virii and spyware, and 5) are not as easily attacked because of design.

What with the attacks on my character? Surely you can do better than that...

Quote:

---

And where did you get this: "...security by obscurity is the best choice"?

---

You didn't say "security by obscurity is the best choice," but the following excerpt from your post could be interpreted to imply that less "popular" OSs have an advantage.

Quote:

---

Now Mr. Ubuntu on the other hand (or Mr. Suse or Mr. Apple) are using OS's for which few viruses are written. OS's for which spyware is almost non-existent. Wasn't it only just this year the very first trojan (a rather toothless trojan at that) was written for Apple's OS? And how many years have trojans been written for Windows?]

---

If you are using this as an advantage for Linux, Mac, you might want to explain why fewer viruses are written? E.g. "Is it because they are less popular systems, or is it because they are harder to write viruses for/"

brokencrow: I'm not even going to respond to such stupidity.. I'm joining HTRegz in no longer commenting on your lack of knowledge and/or what you're saying..

Quote:

---

Do you really think that it would make business sense to ship out XP locked down??? nope.. no one would buy it or use it........................................ When you realize that come back and chat... I'll be more than happy to... but until then you're just being foolish.. .and I've got no need to waste my time.

---

Really? The first part of that statement admits that Microsoft ship their operating system in a potentially insecure state. They do that for commercial reasons, so that it meets their marketing claims to the general public

The objection that I have is that between them Microsoft and the OEM manufacturers fail to include any instructions or documentation to advise users of the issues. In other words, to ACTUALLY give them freedom of choice.

Quote:

---

People want freedom.. not restrictions....

---

So, a system that is insecure is "freedom" and one that is secured is "restricted"?

Let me expose this argument, that I keep seeing time and time again, for what it really is. Basically what it says is:

1. Microsoft cannot be criticised for supplying software that is insecure because a knowledgeable user can secure it. THAT IS ABSOLUTELY TRUE as it stands by itself.

2. Domestic users wouldn't want or buy a system that was "restricted" or locked down by default. This is POTENTIALLY TRUE but would very much depend on what an individual user's perceptions and requirements happened to be? If one assumes that the user requires "unrestricted functionality", as this argument does, then you have a logical impasse.

This is a bit like the logical equivalent of wanting to both have your cake and eat it?

SO LET'S LOOK AT SOME ALTERNATIVES?

1. Microsoft and the OEM's should ship instructions that CLEARLY explain the options, their implications and how to implement the user's choices. There are a number of tutorials and posts on this site that explain how to do this, so why can't/won't the big boys do it?

2. MS products ARE more subject to attack than others because they have such a large proportion of the market. It would be illogical, even foolish to suggest that if another operating system and browser were the most popular to the same extent, they would not be targeted as MS is today, and MS would appear to be "more secure".....................hey, if 90% of systems used the RISC OS then that is where everyone would have their expertise and experience? because that is how they would earn their livings ;)

3. "Security through obscurity" DOES WORK it just happens to be a bad idea because it cannot be relied upon and is based on hope, rather than control.

Which brings us back full circle :cool:

If MS and the OEMs explain the facts they will face increasing pressure from MACs and other OSes.

I agree that is somewhat unfair, but it is a fact of life in the current marketplace & environment.

Basically, if you want to use MS securely you have to lock it down and reduce its functionality, otherwise you might gain some temporary relief from using a relatively obscure and untargeted system.

I wonder which option Steve Ballmer favours?

:)

Quote:

---

Do you really think that it would make business sense to ship out XP locked down??? nope.. no one would buy it or use it... People want freedom.. not restrictions.

---

I really don't know Microsoft's policies on such things since I have not been invited to their board meetings :) However, if this is true, it seems a somewhat questionable practice. A company's name seems to be a very valuable asset. All the bad press which Microsoft has gotten from security issues (whether it is true or not) cannot be good for their business. It seems to me that shipping a locked down browser and OS along with some reasonably detailed security instructions would go a long way toward helping MS take a club out of the hands of people who are using it to beat them. Then they could say, "Well, we've done all we can. If users disable security features, it's beyond our control." And it would be.

And as a matter of fact, I think all Linux distributions should include some kind of security tutorial on the desktop where a user could see it when he or she logs in for the first time.

Hi preacherman481

I am inclined to agree that the defaults should be for higher security. I speak from personal experience of building OEM kits for people. I tend to lock them down pretty tight based on what they tell me they want to do, and explain some of the most common options and concepts.

They don't understand the difference between internet and trusted zone for example............. :eek:

I very rarely have any complaints, but that IS based on talking to them and finding out the requirements are.

Perhaps the retail side of the industry should take some of the responsibility as well?

It is surprising how little of a system that people use? just look at Microsoft Office suite for example. People buy it and are very happy with what it does, but I doubt if they use much more than 25% or so of its features?

I suspect that MS marketeers are actually rather paranoid in this area? I know that I am :D and would prefer to start off with less functionality and a more secure system, then take it from there.

Obviously I am talking the domestic/home/SOHO environment here.

At the end of the day I go back to my observation that many domestic users buy a PC as they would a washing machine or microwave. I cannot blame them as this is how they are sold to them?

:)

Quote:

---

If you are using this as an advantage for Linux, Mac, you might want to explain why fewer viruses are written? E.g. "Is it because they are less popular systems, or is it because they are harder to write viruses for/"

---

I'm placing my bets on the idea that these systems are indeed harder
to attack successfully. Unix has always had a big share of the server
market, and it stands to reason that the bad guys are highly motivated
to attack them. They are better operating systems, period.

As to the Internet Explorer defaults, Microsoft is about to get religion on this
because they have already been advising people that the only way to
protect themselves is either "don't surf to untrusted sites" or disable
active scripting.

The really sad thing is (I've been preaching this for a while now), that they
could have a secure browser with a high degree of functionality by setting
the internet zone very strict and give you a simple one button click
to move sites to the trusted zone whenever things "don't work"

Quote:

---

Restriction commands in the tools menu help you set sites as trusted or restricted without having to wade through the control panel to find the controls.

---

http://www.microsoft.com/windows/ie/...s/pwrtwks.mspx

The stuff is available, but i know my wife does not know how to do
this.
:cool:

I don't find it inconceivable that in the future there will be some kind of legal/civil penalty for failing to properly secure a system. Some kind of "due diligence" liability. Don't laugh, you all know that these compromised computers aren't idle. These "bot fleets" are used for cracking, spamming, and DDOS attacks, and all these things cost money. And where money is involved,,,, well, you know laws won't be far behind.

Quote:

---

At the end of the day I go back to my observation that many domestic users buy a PC as they would a washing machine or microwave.

---

Well, and that is a problem. Computers are not toys. They may not be deadly weapons, but they can be economic weapons.

I thought I'd try this little test since I do not run Firefox but rather a browser based on IE.
With my standard setup (which is NOT a plain box) I can't even click the link to start the test.

Oh...geez...I have to turnoff my popup blocker which also stops javascripts. ;)

Single click -off goes the popup blocker. Try again.

Now I get another tab (webpage) to appear, first with a Google page, then back to Secunia site which shows a Secunia address (http://secunia.com/19521_swf_result/).
If I wait a couple minutes, the address changes to a Google address, and a couple minutes after that the address returns to Secunia with large RED letters S E C U N I A.

Here's what my popup blocker logged, in part:

GET http://secunia.com/Internet_Explorer...rability_Test/ HTTP/1.0
GET http://secunia.com/html/default.css HTTP/1.0
GET http://secunia.com/gfx/blank.gif HTTP/1.0
GET http://secunia.com/gfx/orangebottom.gif HTTP/1.0
GET http://secunia.com/gfx/logo.gif HTTP/1.0
GET http://secunia.com/gfx/dub.gif HTTP/1.0
GET http://secunia.com/gfx/15line.gif HTTP/1.0
GET http://secunia.com/gfx/longline.gif HTTP/1.0
GET http://www.google.com/ HTTP/1.0
GET http://www.google.com/favicon.ico HTTP/1.0
GET http://www.google.com/intl/en/images/logo.gif HTTP/1.0
GET http://secunia.com/19521_swf/?0.030482915521364673 HTTP/1.0
GET http://secunia.com/19521_swf_result/ HTTP/1.0
GET http://secunia.com/html/default.css HTTP/1.0
GET http://secunia.com/gfx/logo.gif HTTP/1.0
GET http://secunia.com/favicon.ico HTTP/1.0

I guess all this is a moot point if javascript is turned off for all but trusted sites.

The theoretical part of me says: this could be a dangerous exploit!
The practical side of me says: I wonder how widespread this exploit is and how many people have been ripped off because of it?

Here you go, preacherman, a good article on virii in Linux and Windows:

http://www.theregister.co.uk/2003/10...ndows_viruses/

I doubt viruses & spyware will ever pose the threat to the *nix family they do to Windows.

Quote:

---

Hey -

Yes, increasing the security level for the internet zone will lower the functionality of IE. This will reduce the number of threats against it. Patching will mitigate known vulnerabilities. If you can do your surfing under a user account, then the level of exploitation possible through the browser will be greatly limited as well.

---

excellent! thank you soda_popinksky, that is what i needed to know! i appreciate the help! :)

Quote:

---

Originally posted here by nihil
Really? The first part of that statement admits that Microsoft ship their operating system in a potentially insecure state. They do that for commercial reasons, so that it meets their marketing claims to the general public

The objection that I have is that between them Microsoft and the OEM manufacturers fail to include any instructions or documentation to advise users of the issues. In other words, to ACTUALLY give them freedom of choice.

---

Microsoft has tons of documentation on the subject... As i've pointed out many times in the past... there's http://www.microsoft.com/athome/secu...s/default.mspx. There are plenty of other tips on their site... Dell will come in and set your computer up for you if you want.. I just past a poster on a lamp post a few hours ago walking to the store... for $20/hour a guy will come to your house and secure your computer for you... How many people look at instructions as it is... nothing in my house has been assembled with instructions...

As for including safety instructions or telling you how to operate it properly.. Is Ford responsible for providing training so you can obtain your drivers license??? Most places don't even ensure that you have a license to buy a car (I've driven a few home for buddies that bought cars for their upcoming 16th birthday's)... I have a gas stove... it's much more dangerous than a computer... The manufacturer (Danby), nor the gas company (Enbridge), nor the store that sold the stove provided training on what to do if the pilot light goes out, or how to relight it

If Microsoft said we're going to include documentation on how to properly secure your system... but we're going to charge you an extra 10 dollars... how many people would scream... they'd complain.. and why should Microsoft provide it free of charge.. it's already on their website.. just go get it.

Quote:

---

So, a system that is insecure is "freedom" and one that is secured is "restricted"?

---

Exactly... security = restrictions... everyone knows that

How do I lock down my network... I restrict outside access... how do I secure my wireless access point... I restrict mac address access... how do I filter certain ports... I restrict access to them... how do I keep users out of other users folders... I restrict their access to folders... security is all about restrictions... as for insecure = freedom... if you have no restrictions on you... you're free... so yes.

Quote:

---

1. Microsoft cannot be criticised for supplying software that is insecure because a knowledgeable user can secure it. THAT IS ABSOLUTELY TRUE as it stands by itself.

---

Any user can secure the software... they just have to learn how to do it... Do we criticize the car companies for not supplying instructions to add oil, fill the washer fluid or add gas??? My Grandma can't do those things... she pays to have it done rather than learn how... is that Ford's fault??? nope... So how can you blame Microsoft because people don't want to learn to do it..

Quote:

---

2. Domestic users wouldn't want or buy a system that was "restricted" or locked down by default. This is POTENTIALLY TRUE but would very much depend on what an individual user's perceptions and requirements happened to be? If one assumes that the user requires "unrestricted functionality", as this argument does, then you have a logical impasse.

---

This is more than partially true.. Users get frustrated enough by the bar's in IE 6 SP2 asking them to allow an Active X Control to run... or this software to install.. or this pop-up to open... or in Outlook when certain attachments are blocked because of their type... If the average user get's pissed off at this, how are they going to function if they find out they can't install their software just by double clicking anymore...
This is a bit like the logical equivalent of wanting to both have your cake and eat it?

Quote:

---

SO LET'S LOOK AT SOME ALTERNATIVES?

1. Microsoft and the OEM's should ship instructions that CLEARLY explain the options, their implications and how to implement the user's choices. There are a number of tutorials and posts on this site that explain how to do this, so why can't/won't the big boys do it?

---

Why should Microsoft do it... a co-worker and I were having a great chat the other day about freedom of information... nothing is free.. Even volunteer work... you do it because it makes you feel good... people post tutorials here because they feel good helping others... Computers are their hobby so it makes sense that this is where they'd spend their free time... and they feel good by putting their hobby to use, it makes them feel justified... Microsoft is a company... companies want to make money, so why would they want to do this for free... there's nothing in it for them... Just as Ford doesn't walk you step by step through changing your oil, or putting on the spare tire...

Quote:

---

2. MS products ARE more subject to attack than others because they have such a large proportion of the market. It would be illogical, even foolish to suggest that if another operating system and browser were the most popular to the same extent, they would not be targeted as MS is today, and MS would appear to be "more secure".....................hey, if 90% of systems used the RISC OS then that is where everyone would have their expertise and experience? because that is how they would earn their livings ;)

---

Why would this be illogical or foolish, it's entirely true... It's true... Microsoft is at the point it's at, because of it's popularity... People target what is popular and in use... For Example.. you used to see tons of toys / exploits / vulns / whatever for ICQ... now that it's gone you see them for MSN, AIM and Yahoo..

Quote:

---

3. "Security through obscurity" DOES WORK it just happens to be a bad idea because it cannot be relied upon and is based on hope, rather than control.

---

Agreed.... but I"m not sure that I'd call that working... I say it "appears to work"

Quote:

---

Which brings us back full circle :cool:

If MS and the OEMs explain the facts they will face increasing pressure from MACs and other OSes.

I agree that is somewhat unfair, but it is a fact of life in the current marketplace & environment.

Basically, if you want to use MS securely you have to lock it down and reduce its functionality, otherwise you might gain some temporary relief from using a relatively obscure and untargeted system.

I wonder which option Steve Ballmer favours?

:)

---

I'm not sure how MS wlil face increasing pressure from Apple and other's if they explain the facts... Every OS needs to be locked down to be secure... you can't brand that as an MS only problem.... At the same time.. users don't want that.... Even HP-UX.. you can run Trusted HP-UX... it's much better... but a lot of people don't want to.. even though you purchase the same software and type one little command to convert it.. companies don't do it. If companies won't do it why would users do it..

Quote:

---

brokencrow
I doubt viruses & spyware will ever pose the threat to the *nix family they do to Windows.

---

'Tis better to remain silent and appear foolish, than to open your mouth and remove all doubt'... Perhaps words you should live by... Do a current users to current threats... and then speak again... You're a ****ing tard... my only irritation is that you see that as a bunch of ****'s so the full effect cannot be appreciated... Go read a book and get a life... leave this site to those with a clue and those that need help... or accept that you don't have a clue and say you need help..

Peace,
HT