SANS Infocon at Yellow - IE Exploit

Hello,

I was just informed that the SANS ISC Infocon is at [gloworange]YELLOW[/gloworange]

It is due to the IE exploit announced yesteday.

From the ISC

Quote:

---

IE exploit on the loose, going to yellow
Published: 2006-03-23,
Last Updated: 2006-03-23 20:18:59 UTC by Jim Clausing (Version: 1)

Folks, as Lorna predicted yesterday , it didn't take long for the exploits to appear for that IE vulnerability. One has been making the rounds that pops the calculator up (no, I'm not going to point you to the PoC code, it is easy enough to find if you read any of the standard mailing lists), but it is a relatively trivial mod to turn that into something more destructive (in fact, one of our readers has provided us with a version that he created that is more destructive). For that reason, we're raising Infocon to yellow for the next 24 hours.

Workarounds/mitigation

Microsoft has posted this and suggests that turning off Active Scripting will prevent this exploit from working. You could, of course, always use another browser like Firefox or Opera, but remember that IE is so closely tied to other parts of the OS, that you may be running it in places where you don't realize you are.

One of our readers asked whether DropMyRights from Microsoft would provide any protection. We haven't had an opportunity to test that out.

I understand a snort signature to detect the exploit has been checked in to bleeding-snort, I'll update the story with a URL for the sig as soon as I find it.


References

Original Secunia bulletin: http://secunia.com/advisories/18680/
Microsoft blog: http://blogs.technet.com/msrc/archiv...22/422849.aspx

---

Watch out!

-Deeboe

Dang! Leave my desk long enough to fry a burrito and look what happens!

grumble grumble

======

[EDIT]
Microsoft now has an advisory posted for this:

http://www.microsoft.com/technet/sec...ry/917077.mspx
[/EDIT]

Howdy..

I got stung by that about half and hour ago. I thought it was a prank, but when i refreshed ext, i noticed that weird things where happening..

That's the last time i use ie to catch up on the morning news...

cheers
f2b

Internet Explorer? who is that? Christopher Columbus? Vasco da Gama?

I don't use it..........why? because Microsoft don't sell it

Think about that folks..............sure, the others are "free" but they survive through advertising etc....Internet Explorer does not, so is the most attacked and least well protected.

In truth Microsoft don't "need" Internet Explorer.................in fact its "embedded status" is almost making it a problem child?

I have seen M$ dump their own AV product in my lifetime...........maybe IE will be next?

Just my twisted logic :)

Hello all-

Just checked out the update and here I thought I could slack a lil' bit today:

Da update:

Quote:

---

IE exploit on the loose, going to [gloworange]yellow[/gloworange]
Published: 2006-03-24,
Last Updated: 2006-03-24 04:01:25 UTC by Jim Clausing (Version: 1)

Folks, as Lorna predicted yesterday, it didn't take long for the exploits to appear for that IE vulnerability. One has been making the rounds that pops the calculator up (no, I'm not going to point you to the PoC code, it is easy enough to find if you read any of the standard mailing lists), but it is a relatively trivial mod to turn that into something more destructive (in fact one of our readers, Matt Davis, has provided us with a version that he created that is more destructive). For that reason, we're raising Infocon to yellow for the next 24 hours.


Workarounds/mitigation

Microsoft has posted this and suggests that turning off Active Scripting will prevent this exploit from working. You could, of course, always use another browser like Firefox or Opera, but remember that IE is so closely tied to other parts of the OS, that you may be running it in places where you don't realize you are.

One of our readers asked whether DropMyRights from Microsoft would provide any protection. We haven't had an opportunity to test that out.

I understand a snort signature to detect the exploit has been checked in to bleeding-snort, I'll update the story with a URL for the sig as soon as I find it.


References

Original Secunia bulletin: http://secunia.com/advisories/18680/
Microsoft blog: http://blogs.technet.com/msrc/archiv...22/422849.aspx

---

Annnd just in case you're as mad as hell, and you're not going to take it anymore! (paraphrased by Peter Finch as Howard Beale in "Network") - read the underlined area above first though:

Firefox: http://www.mozilla.com/firefox/
Opera: http://www.opera.com/

Quote:

---

in fact its "embedded status" is almost making it a problem child?

---

Sorry to play Devil's Advocate, but IE's embedded status is it's greatest feature. Not only is it faster, but it is more securable than anything else.


And how is the world going nuts over an exploit that can be 100% mitigated with scripting restrictions that should already be in place?

Quote:

---

And how is the world going nuts over an exploit that can be 100% mitigated with scripting restrictions that should already be in place?

---

Yep...

Quote:

---

Originally posted here by Synja
And how is the world going nuts over an exploit that can be 100% mitigated with scripting restrictions that should already be in place?

---

Funny you should mention that. This is the latest addition to the ISC Diary by Ed Skodis:

Quote:

---

...I tested the sploit on a box with software-based DEP and DropMyRights... here are the results:

Software-based DEP protecting core Windows programs: sploit worked
Software-based DEP protecting all programs: sploit worked
DropMyRights, config'ed to allow IE to run (weakest form of DropMyRights protection): sploit worked
Active Scripting Disabled: sploit failed

---

BTW - Welcome back d0pp.

-Deeboe

Quote:

---

BTW - Welcome back d0pp.

---

Thanks..


There are almost no exploits that will work against a properly configured and secured system. The argument of course, is that it should come presecured. In reality, it doesn't work that way. When you buy a car, are the seats already set for your height and frame? No. You have to set things up yourself.

I do believe that many things should be disabled by default, I mean, there is no reason to run unsigned ActiveX controls, etc. But the fact of the matter is that these settings are not buried deep in the registry or hidden from the average user, they are readily availbe in the Control Panel, or any of the many system/software configuration dialogs. There are more than enough free online resources that will allow you to secure your machine, people just need to do it.

As far as modern systems and program design is concerned, embedded systems are obsolete.

I can well remember struggling with 3,000 - 5,000 line RPGII/III programs. They are a bloody nightmare and don't let anyone tell you any different ;)

Later thinking is to go for modular designs and integrate the modules.

Even Microsoft's top technical people admit that their development model is flawed. There was a post on this site about it a little while back.

As for speed, all browsers claim to be the "fastest"; here is some research, as opposed to the opinionated BS we generally get served:

http://www.howtocreate.co.uk/browserSpeed.html#winspeed

Quote:

---

Sorry to play Devil's Advocate, but IE's embedded status is it's greatest feature. Not only is it faster, but it is more securable than anything else.

---

How can it be more securable? with an embedded system you don't have the faintest idea what it might be doing in the background. With a stand alone application or a module at least you know what you are dealing with and can be reasonably happy that when it is off, it really is off.

:)

Quote:

---

How can it be more securable?

---

The thing is that IE can be restricted by the local/domain security policy in ways that Firefox can not be.



And opera is not the fastest browser... I believe that honor goes to Links... ;)

Hmmm,

Quote:

---

The thing is that IE can be restricted by the local/domain security policy in ways that Firefox can not be.

---

And the downside is that it is always "on" doing, or potentially enabling, God knows what. ;) Also, the amount of control depends entirely on the operating system that you are running.

OK, as I see it the fundamentals are:

1. Do not run services you do not need.
2. Do not enable functionality that you do not need.
3. Do not run applications that you do not need.

That is not based on security, it is how you would get optimum performance and stability in the first instance.

We are then left with two $64,000 questions:

1. If the functionality is dangerous and should be switched off or restricted, why is it there in the first place?

2. Why do Microsoft issue so many security patches if it is merely a configuration issue?

:)

Quote:

---

And the downside is that it is always "on" doing, or potentially enabling, God knows what. Also, the amount of control depends entirely on the operating system that you are running.

---

It is the system shell. It will always be on if you want the computer to do anything. It is irrelevant whether you use IE for browsing, you still use IE unless you completely remove the system shell and use a different one. (Not a good idea, Windows was not designed for anything but Explorer)

Quote:

---

OK, as I see it the fundamentals are:

1. Do not run services you do not need.
2. Do not enable functionality that you do not need.
3. Do not run applications that you do not need.

---

There is a bit more than that?

Quote:

---

That is not based on security, it is how you would get optimum performance and stability in the first instance.

---

I believe stability to be a facet of proper security.

Quote:

---

1. If the functionality is dangerous and should be switched off or restricted, why is it there in the first place?

---

Your car can go far past the speed limit, why should it be able to if you can never go that fast? The reason that the functionality is there even if it should not be used, is simple. It is needed in some cases. System updates and AV scans work much better as an ActiveX function rather than a Java applet. And vbs scripts can be used for system administration just as easily as they can be used for exploit code. But your average user cannot use these things effectively, ergo, they should be disabled (Either the scripting or the user, I don't care which).

Quote:

---

2. Why do Microsoft issue so many security patches if it is merely a configuration issue?

---

How many of those patches are rendered meaningless by a proper configuration? A home user should only be vulnerable to kernel exploits if properly configured.

Quote:

---

It is the system shell. It will always be on if you want the computer to do anything. It is irrelevant whether you use IE for browsing, you still use IE unless you completely remove the system shell and use a different one. (Not a good idea, Windows was not designed for anything but Explorer)

---

Exactly, and that is the bit I have the beef about. I believe it should be integrated , not embedded . Remember, it would be MS to MS so should give better performance than a third party stand alone.

With the three "facets" I picked on I was considering something that held good for a stand alone machine that was not at risk. No network, no internet, limited applications, say a control box for a mass spectrometer.

Stability is indeed a part of the broader concept of "security" because it is the security of the organisation's data which are part of its assets.

Quote:

---

Your car can go far past the speed limit, why should it be able to if you can never go that fast?

---

Bad analogy mate, the answer is "marketing bullcrap and bragging rights"..............it is just a male pen1$ substitute. Operating systems and browsers have yet to become so AFAIK :D

You are going at things from the wrong end IMO.

Quote:

---

But your average user cannot use these things effectively, ergo, they should be disabled

---

You must remember in the past you had to deliberately download and install the "clever bits" from the CD? That is the way to go, or supply the system with them disabled by default. Probably a mixture of the two?

Quote:

---

How many of those patches are rendered meaningless by a proper configuration? A home user should only be vulnerable to kernel exploits if properly configured.

---

The answer is "none" if you are honest. Microsoft don't spend all that money on patches and taking crap if they could get away with that argument. It all boils down to what a home user is given "out of the box"...........M$ want to dumb things down, so be it.............this is the consequence?

Also, you have to realise that there are still a lot of home users Worldwide who do not have an operating system that even supports "proper configuration" as I imagine you mean it. I have no idea about XP Home but anything before it certainly has not.

You must realise that to the home and SOHO user the computer is like a microwave, a TV, an elecric drill.................they take it out of the box and use it "as is" ..........and that is the status that needs looking at.

:)

Quote:

---

Bad analogy mate, the answer is "marketing bullcrap and bragging rights"..............it is just a male pen1$ substitute. Operating systems and browsers have yet to become so AFAIK

---

You haven't seen Noia's e-penis script?

Quote:

---

Also, you have to realise that there are still a lot of home users Worldwide who do not have an operating system that even supports "proper configuration" as I imagine you mean it. I have no idea about XP Home but anything before it certainly has not.

You must realise that to the home and SOHO user the computer is like a microwave, a TV, an elecric drill.................they take it out of the box and use it "as is" ..........and that is the status that needs looking at.

---

So we should just pander to their ignorace as if it were unchangeable?

And NT4-XP has had the tools. I do not know about anything before NT4.

Quote:

---

Originally posted here by nihil
[B]Exactly, and that is the bit I have the beef about. I believe it should be integrated , not embedded . Remember, it would be MS to MS so should give better performance than a third party stand alone.

---

What operating system doesn't ship with a browser... in the Linux case.. who about Window Managers?

Windows - Internet Explorer
Mac OS X - Safari
Console Linux - Lynx / Links (Btw Synja, you should have said Lynx was the fasted browser.. not Links)
Gnome - Firefox Chrome
KDE - Konqueror

I find nothing wring with IE's coexistance with Windows... Does that mean I use it... not very often (However, IE 7 looks promising) but I do use it.. more for it's embedded features actually... I use Dave's Quick Search Bar which is basically a website that displays as a search bar on your task bar... very handy... very convenient.

Quote:

---

Bad analogy mate, the answer is "marketing bullcrap and bragging rights"..............it is just a male pen1$ substitute. Operating systems and browsers have yet to become so AFAIK :D

---

That's an awful explanation... Cars go fast because speed limits vary, because some places don't have speed limits, because some people race their cars for sport, because increased speed saves time, because having variable speed allows you more control...

Quote:

---

The answer is "none" if you are honest. Microsoft don't spend all that money on patches and taking crap if they could get away with that argument. It all boils down to what a home user is given "out of the box"...........M$ want to dumb things down, so be it.............this is the consequence?

---

MS doesn't want it that way.. the home user wants it that way... I just had this sort of argument at work... MS caters to corporate and enterprise environments.. where they know the machines will be properly secured (or it's the fault of the admin)... the home user wants things simple.. How much business would they lose if you had to log out and log in as another user to install a game, or if you couldn't access all of your system as a single user... That's what keeps alot of people from switching to *nix and MS knows it.. so they are giving the users what they want.. it's smart business.. Car Manufacturers still put ashtrays in their cars even though they know that cigarettes kill.. where's the difference...

Quote:

---

Also, you have to realise that there are still a lot of home users Worldwide who do not have an operating system that even supports "proper configuration" as I imagine you mean it. I have no idea about XP Home but anything before it certainly has not.

---

Any system can be properly configured... It's just a matter of knowing what steps to take and how difficult it is... besides.. XP itself is how old now.. if you're running something older... that's your fault.. it's like running a 25 year old car and wondering why it breaks down... That's not the manufacturers fault... that's the drivers fault for still driving it... Yet a car enthusiast (much like the computer enthusiast) can keep it running for quite a bit longer because they know the things they can do under the hood to make it stand up and stay together.

Quote:

---

You must realise that to the home and SOHO user the computer is like a microwave, a TV, an elecric drill.................they take it out of the box and use it "as is" ..........and that is the status that needs looking at.

:)

---

This comment here renders your comment that "that none of these patches are rendered useless by proper configuration"... most of Microsofts loopholes, vulns and exploits can be 100% eliminated by proper configuation... end user don't care about doing that.. so microsoft is kind enough to release the updates and patches... sometimes they are necessary but quite often they are simply released to make the life of people simpler.

MS is doing really well since they announced their security initiative and I'm really tired of people running it into the ground.... People don't like the company.. that's fine.. say you don't like the company... don't try and beat them to the ground behind lies and mis-truths... it just hurts your case.. it doesn't support it.

Peace
HT

Quote:

---

(Btw Synja, you should have said Lynx was the fasted browser.. not Links)

---

I realized that after I posted... I'm just so used to using Links... Much better interface, and better rendering.

Quote:

---

So we should just pander to their ignorace as if it were unchangeable?

---

Exactly so, that is how Microsoft and Mackintosh sell it. Sale Of Goods (implied terms) Act...........the product must be of merchantable quality and fit for purpose. "Passing off" is an offence. You buy a COTS product and you are entitled to expect it to work as advertised.

Quote:

---

And NT4-XP has had the tools. I do not know about anything before NT4.

---

They don't support it. And remember that NT4 ran alongside Win95, Win 98 and Win98SE. Win ME was contemporary with Win NT5 (2000).

Quote:

---

What operating system doesn't ship with a browser... in the Linux case.

---

As far as I am aware Windows is the only one that ships with an embedded browser which was what my point was about.

Quote:

---

I find nothing wrong with IE's coexistance with Windows

---

Neither do I, but it should be integrated rather than embedded...........and I have the grey hairs to back that distinction up ;) Hey, MS Office is integrated isn't it?

Incidentally, this is the way that MS intend to go. Please believe me that embedded applications are a real horror story, particularly as the mothership gets more and more complex. With an integrated system, you can develop the two in parallel, and re-integrate.

Now, if IE is extracted from the shell, MS would have the opportunity of just buying Mozilla or Opera and start afresh. If you follow the market over the years you will see that is how they operate?

Quote:

---

Any system can be properly configured..

---

I eagerly await your tutorial "How to security harden DOS 5.0" with bated breath :cool:

Sure, Microsoft is as pure as the driven snow, well...............keeps us in jobs doesn't it?

Quote:

---

I eagerly await your tutorial "How to security harden DOS 5.0" with bated breath

---

Wow... is that a challenge?

I guess I have to find a copy of DOS 5

Quote:

---

I guess I have to find a copy of DOS 5

---

Hmmm..................I have several, :D

The point is that up until XP, MS were running a domestic (effectively stand alone) range of home products, and their commercial line. Now, if someone spends the equivalent of $5,000 over here, they expect it to last, and probably at least 10 years, particularly if they don't use it that much.

You have to remember that prices in Europe are much higher than the USA, and we have very strong consumer protection laws.

In a lot of places we don't have a "throwaway" society...................we make things last, and would not waste money on upgrading a perfectly functional operating system.




;)

Quote:

---

You must realise that to the home and SOHO user the computer is like a microwave, a TV, an elecric drill.................they take it out of the box and use it "as is" ..........and that is the status that needs looking at.

---

Ain't that the truth. Most home/soho users could care less about security.

Hey brokencrow at least you can appreciate where I am coming from.

Sure in a big defence, government or corporate environment you have a "security policy", you get crap in from Dell or HP or whoever, wipe it and ghost the standard desktop onto it..............no problem ;)

Quote:

---

Ain't that the truth. Most home/soho users could care less about security.

---

It is actually even worse than that, they don't even realise that it is an issue or a problem, and that is how it is sold to them. No checklists, no instructions, no advice sheet telling them about security issues at all.

If I buy an automobile I expect to be able to drive it straight out of the showroom, not have to krypton tune the damn engine first? That is how they look on a PC, and how they are encouraged to look on them :eek:

Basically, the industry has gotten it wrong. The corporates are going to wipe the crap they have preloaded so they really need not bother apart from testing (not that they seem to be doing much of that these days). Perhaps they should put more effort into what they sell through retail outlets, knowing the customer base they are selling into?

I am certainly too old and too tired to expect any significant change in customer awareness in my lifetime.

:(

I see it ALL the time, nihil. The SOHO client who uses Napster for some office muzac and ends up 0wn3d (that guy was getting 3000 emails every 45 minutes for his computer's part in a DoS attack). Another SOHO who ignores my advice to use Firefox, goes to a gaming site via IE for a little R&R only to get BADLY infected with spyware. Friends who spend hours cleaning up their multi-user Windows computers every month.

Then there's the Apple user. Nary a problem from them. No spyware, no virus infections. They just cruise.

Microsoft: they'll sell you the car, then when the wheels fall off, they'll sell you the lug nuts. ;)

Hey Hey,

Quote:

---

nihil
You have to remember that prices in Europe are much higher than the USA, and we have very strong consumer protection laws.

In a lot of places we don't have a "throwaway" society...................we make things last, and would not waste money on upgrading a perfectly functional operating system.

---

I find it hard to belive that prices are that much higher.. especially when you have the ability to buy from online stores at the same price that Americans and Canadians do... Many Canadians buy from Asia or the USA and pay shipping, customs fees, etc just because it works out cheaper... My ex-roommate's headlights were shipped from Hong Kong... As for a throw away society... that's fine.. you guys reuse.. but at the same time.. it's not ap erfectly functional operating system.. it's an outdated and antiquated operating system.. If you want to be involved with IT or even have technology in your home you have to accept that it's ever changing.. It's like people that bought LCDs in the last couple years.. only 12 of those models are HD-ready... even fewer video cards. you can't expect everything to be supported and work perfectly if you have something that's old.. It's like owning a 30 year old car and complaining that it doesn't have Power Windows, Power Locks, Power Steering, a CD Player and a built in alarm system... it's upgrades.. it happens... get used to it.. or keep living in the past.. Maybe that's why so much of Europe is considered to be the 'old world'.

Quote:

---

brokencrow
Ain't that the truth. Most home/soho users could care less about security.

---

How much do you care about security? You secure your computer... What about your home?? I can pick the lock on your door... I can smash a window or cut the glass.. Do you have metal bars up over all the glass and a 2-key locking system on your door where both keys must be turned at the same time and then you have to have a fingerprint scan to get in? Is your door reinforced steal with an alarm system inside the house.. Motion detectors, Video Cameras, etc.. do you have guard dogs patrolling the perimeter? It's the same thing... How about your car... have you ever ran in the convenience store and left a window down.. or the engine running... do you have an alarm.. Will it disable the igition if it's activated or removed? Do you care about security with everything... or only your computer because you know IT... How about banks.. did you investigate your bank.. ensure they were safe and secure.. in Canada I believe bank accounts are only ensured for $100,000 in loses.. do you keep more than that in your account.. Where's the security there..

Quote:

---

nihil
It is actually even worse than that, they don't even realise that it is an issue or a problem, and that is how it is sold to them. No checklists, no instructions, no advice sheet telling them about security issues at all.

If I buy an automobile I expect to be able to drive it straight out of the showroom, not have to krypton tune the damn engine first? That is how they look on a PC, and how they are encouraged to look on them

Basically, the industry has gotten it wrong. The corporates are going to wipe the crap they have preloaded so they really need not bother apart from testing (not that they seem to be doing much of that these days). Perhaps they should put more effort into what they sell through retail outlets, knowing the customer base they are selling into?

I am certainly too old and too tired to expect any significant change in customer awareness in my lifetime.

---

You're saying it's Microsofts fault that they run their PCs the way they do?? Microsoft doesn't encourage it.. they have plenty of videos available on proper use of a PC... they give the customer what they want.. it's up to the customer beyond that point. Microsoft has checklists and instructions available on their website and videos offering advice.. so I'm not sure where you found your information on that..

As for the car quote.. You expect to be able to drive it off the lot.. but you also had to pass a test first and study and prove you could drive that car... the car company doesn't do that.. The government does... so maybe the government should do the same with computers.. but again.. it's not Microsoft's fault... As for "krypton tuning the engine" I'd say that'd be like overclocking your computer... how about a more accurate response.. Do you expect your car to have an alarm system (security is what we're talking about)... Most low end cars still don't.. you want an alarm.. you pay extra for it... You want your computer secured properly.. you pay extra to have someone do that..

Again why put more effort into what they sell.. it just drives prices up... why Should i pay more because someone else doesn't know how to use their computer.. the same as why should I pay more for a car with an alarm when I don't want an alarm system... or I could install it myself.. Computers are no different than anything else.. people just hate Microsoft (without a really valid reason) and want to try and get them..

Quote:

---

brokencrow
I see it ALL the time, nihil. The SOHO client who uses Napster for some office muzac and ends up 0wn3d (that guy was getting 3000 emails every 45 minutes for his computer's part in a DoS attack). Another SOHO who ignores my advice to use Firefox, goes to a gaming site via IE for a little R&R only to get BADLY infected with spyware. Friends who spend hours cleaning up their multi-user Windows computers every month.

Then there's the Apple user. Nary a problem from them. No spyware, no virus infections. They just cruise.

Microsoft: they'll sell you the car, then when the wheels fall off, they'll sell you the lug nuts.

---

Uses napster and get's owned (btw muzac... come on.. are you 12?).. It's his own fault for trusting napster... it's like people that trust skype.. look at where the creators got their start... You can't blame the OS for that... blame the makers of that software... that's just a completely moot point.

Also what sort of gaming sites is your customer using that they get drive-by spyware installs from it.. and why are they stupid enough to frequent those types of sites... Besides with IE on XP SP2 I can go to astalavista.box.sk and crackz.ru and all the other sites and never have anything installed... That's user stupidity.. As for your friend cleaning their computer.. what do they do to cause these infections??

In my house we have 2 XP Desktops, 2 Ubuntu Laptops, a Ubuntu Desktop and an OS X machine.. the one XP Desktop is my girlfriends.. no spyware, no viruses, no need to spend time cleaning it.. and I never touch it... She's not a big fan of computers.. she uses it as a tool and as a toy.. and she never has a problem with it.. I switched her from norton to AVG but that was about it.. when she had Norton she was going online every year and buying a new subscription.. So what sort of idiot is your friend that they have to spend hours cleaning their computer? The OS is not the problem.. the user is..

Now do you have OS X? OS X has malware, has viruses and has been hacked... The difference is that it isn't a mainstream OS... it's user base is like the linux user base... small.. Everything exists for Windows because you have a better chance of infecting more users... That's the only reason.. I actually get more pop-ups on Safari than I do on IE or Firefox.

And the car/lug nuts point.. Would you care to equalize that.... to justify that comment.. Microsoft provides you with a product... a fairly decent one at that... They then provide you with upgrades and additions to that product free of charge.. You want to look at cars.. think back to the Corsica... a GM.. Look around.. if you see one still on the road.. It will prolly be missing it's gas cap.. or the cap will be open because the latch broke.. the paint will be peeling off or complely peeled off (if it was the blue model).. GM never did anything to fix those problems for their customer... So your car analogy completely sucks...

I'm really getting sick of people ragging on a decent product... Your attempts to insult the product tell me one of a couple things..

1) You're an idiot who can't use the product yourself so you take out your frustration with the product by insulting it.
2) You're surrounded by idiots (see #1) and you take everything you hear at face value and believe their comments.
3) You're a moron...
4) You really have no clue about IT or how the IT world works
5) You just want to be heard.

Peace,
HT

i find with windows xp , if its installed and configured correctly , i dont have very many issues, sucurity or otherwise

The gambling site looks legit, installed Spy Falcon (aka vcodec) via IE. The soho is running XP w/ SP2 and all the updates. A classic drive-by install. How do YOU think this stuff gets in a Windows box? The Wicked Witch of the East maybe? You don't think it could be a combo of ActiveX and IE?

As for my friends who constantly wrestle with their home PC's, they're multi-user machines. Teenage boys are the worst in my experience. The porn sites are not kind to them and they could care less about navigating dodgy sites.

Users certainly do bring it on themselves. I use XP and W2K. I don't run any antivirus software, once in a while I run Ad-Aware or Spybot. I don't get infected with anything because I stay away from dodgy sites and Internet Explorer, which is a demonstrably unsecure product. Not everyone's going to know the risks. Nihil makes some good points about what users expect. They expect a PC to be secure out of the box. And of course it's not. Users expect the damnedest things to be secure (napster!), and they're not. The debate, for some of us, is essentially about where does MS's responsibility end and the users' begin.

What's up with the insults? Maybe you should drop the thread if you can't handle it. That's quite a speech...

:mad:

Quote:

---

Originally posted here by brokencrow
The gambling site looks legit, installed Spy Falcon (aka vcodec) via IE. The soho is running XP w/ SP2 and all the updates. A classic drive-by install. How do YOU think this stuff gets in a Windows box? The Wicked Witch of the East maybe? You don't think it could be a combo of ActiveX and IE?

As for my friends who constantly wrestle with their home PC's, they're multi-user machines. Teenage boys are the worst in my experience. The porn sites are not kind to them and they could care less about navigating dodgy sites.

Users certainly do bring it on themselves. I use XP and W2K. I don't run any antivirus software, once in a while I run Ad-Aware or Spybot. I don't get infected with anything because I stay away from dodgy sites and Internet Explorer, which is a demonstrably unsecure product. Not everyone's going to know the risks. Nihil makes some good points about what users expect. They expect a PC to be secure out of the box. And of course it's not. Users expect the damnedest things to be secure (napster!), and they're not. The debate, for some of us, is essentially about where does MS's responsibility end and the users' begin.

What's up with the insults? Maybe you should drop the thread if you can't handle it. That's quite a speech...

:mad:

---

The Drive-By-Downloads come from running at a high user level (Administrator) with low security permissions... Otherwise the user would not be able to install the software from the drive-by or they'd be prompted... but users don't want that kind of hassle. As for the multi-user machines.. awwww.. boohoo... I spent years sharing a PC with my parents and two sisters.. still never had any problems.. If it's multi-user created multiple accounts... with low priviledges.. not everyone needs admin, in fact no one should use admin... that's the users fault again.. User don't expect a PC to be secure... They just don't care one way or another.. expecting something and not caring are two different things.. I expect a shitty government to be elected... others don't care if a shitty government is elected.. two very different things.. If someone expects napster to be secure.. they're a ****tard (to quote... hrm.. I believe deb first used that here)... and also napster is no longer P2P it's an online store.. how the hell do you get spyware from an online store... I've used the iTunes store.. I get an audio file and that's about it..

There is no debate regarding Microsoft's responsibility and the users... Microsoft provides an operating system... that's all.. or software.. depending on what you get from them... That's all they have to do.. you use it.. it was your choice to use their software.. If you make that choice... don't bash it... It's like people that don't vote and complain.. or vote for the elected government and complain.. you made a choice.. accept it.. Let's say your car tops out at 200... Sure you could go 200 but you could get a ticket or crash and kill someone... is that the manufacturer's problem??? Nope.. it's yours... Sure your computer comes with Admin access.. does that mean you have to use admin access?? nope... so if something happens.. who's fault is it... your fault.. plain and simple.

As for the insults.. they weren't insults... they were the truth.. those are the only possible reasons that you could be spouting such drivel.. You are bashing a company because they make money and your jealous.. or your an idiot.. or you know idiots.. I'm not insulting you... I'm stating the obvious... Are there things that MS could do to improve... yes... but here are things every company could do to improve.. including the various Linux Distributions and OS X... so quit your ****ing whining...

Peace,
HT

A high user level (Administrator) with low security permissions. Standard SOB for Windows, yes? It's not on an Apple. Or on Ubuntu. Don't you find it negligent MS ignores user levels out of the box? I do.

Users don't expect a PC to be secure? You honestly believe that? Millions of folks do their banking online with every expectation it's secure. Where do you get this stuff? It's obvious the public is in the dark on PC security. And that falls to the industry to educate the public on the risks.

There is no debate regarding Microsoft's responsibility and the users? Then what are you still doing here on this thread?

You know, they used to manufacture cars with no seatbelts. Dashboards were bare metal, and steering columns were rigid columns that routinely impaled drivers.

Too bad Ford, GM and Chrysler didn't have EULA's back in the day.

Hmmmm,

Quote:

---

I find it hard to belive that prices are that much higher

---

Well I live here...............and have done so for many years, so I would suggest that you do believe me. We get ripped off big time! To give you an example, when I talk to Americans I use the rate $1 = £1 because that is the price differential. And please don't give me that "internet, e-trade" crap............we have a very effective customs system here.............our sales tax is 17.5% (they add that automatically), then there is import duty, then you have to pay the carrier, then there is a £10 "documentation fee"............

OK, if it is not bulky, not heavy and not valuable you may get away with it.............to some extent, otherwise, NOT!

QUOTE:

1) You're an idiot who can't use the product yourself so you take out your frustration with the product by insulting it.
2) You're surrounded by idiots (see #1) and you take everything you hear at face value and believe their comments.
3) You're a moron...
4) You really have no clue about IT or how the IT world works
5) You just want to be heard.

Ah! you must have been looking in a mirror when you typed that?

Please, never, ever, say that again on this forum. This is a site for IT security professionals and enthusiasts.............not for little kiddies who spit their dummies, jump out of their prams and throw hissy fits.

And as for the APs AND THIS IS A MESSAGE TO WHOMSOEVER IT MIGHT CONCERN...........if you cannot take losing a logical discussion, please go and join UnError, you will feel at home there I am sure.

I am going to close this thread as it is getting ridiculous............

Quote:

---

Originally posted here by brokencrow
A high user level (Administrator) with low security permissions. Standard SOB for Windows, yes? It's not on an Apple. Or on Ubuntu. Don't you find it negligent MS ignores user levels out of the box? I do.

---

Yer serious here right??? Allow me to switch over to OS X and check something... Oh yeah.. one account (created during the setup) and it has Administrator rights... sorry.. but yeah I do see that on Apple.. now Ubuntu... let me remember... Ubuntu (since you picked it specifically) just had a problem where the passwords were stored in a log created during install... (Where's the responsibility there...) What was after that... oh yeah.. I can type sudo before a command and run it as root (using my user password.. and not a seperate root password).. I can see how that's much better than having a seperately password protected root account.

Quote:

---

Users don't expect a PC to be secure? You honestly believe that? Millions of folks do their banking online with every expectation it's secure. Where do you get this stuff? It's obvious the public is in the dark on PC security. And that falls to the industry to educate the public on the risks.

---

Just because people do their banking doesn't mean they expect that their computer is secure.. If people expected their computers to be secure out of the box you wouldn't see so many sales of AV software (AV Companies wouldn't exist), neither would personal firewall companies... there'd be no need for them... People expect their PC to be secure with minimal work.. but not out of the box.. It doesn't fall on the industry to educate the public.. it falls on the public to educate themselves.. to take courses.. Because I sell knives does that mean I have to teach the public not to stab themselves?? Nope... So why should the PC industry have to educate it's users?

Quote:

---

There is no debate regarding Microsoft's responsibility and the users? Then what are you still doing here on this thread?

You know, they used to manufacture cars with no seatbelts. Dashboards were bare metal, and steering columns were rigid columns that routinely impaled drivers.

Too bad Ford, GM and Chrysler didn't have EULA's back in the day.

---

There isn't a debate.. There's a couple of loudmouths bashing MS... that's all I'm seeing here.. As for cars.. there are laws require seatbelts... That's what prompted them to install seatbelts... Also that was killing/injuring people.. Do you see computers walking around impaling people?? Do you see laws on how secure people's computers should be?? There's a big difference in those too things..

Now on to nihil

17.5%... Ours is 15%... that's only a whopping 2.5% difference which isn't that much.. Then we have Custom Fees on top of that (your Import fees)... then we have to pay the carrier and then depending on the item their are other fees as well.. Don't think you're the only one who has to pay extra fees because you're not.. Remember I'm not American.. so don't give me your sob story about things being expensive.

Quote:

---

Ah! you must have been looking in a mirror when you typed that?

Please, never, ever, say that again on this forum. This is a site for IT security professionals and enthusiasts.............not for little kiddies who spit their dummies, jump out of their prams and throw hissy fits.

And as for the APs AND THIS IS A MESSAGE TO WHOMSOEVER IT MIGHT CONCERN...........if you cannot take losing a logical discussion, please go and join UnError, you will feel at home there I am sure.

I am going to close this thread as it is getting ridiculous............

---

Let's see... nope.. wasn't looking in the mirror.. and I believe I'll say what I want... You're right this is a site for IT security professionals and enthusiasts..and last time I checked I was an IT security professional.. are you? is brokencrow? It's also a site for intelligent, educated people.. yet both of you feel the need to bash a company for no reason other than a dislike..

As for the APs, I don't believe I'm losing this discussion at all, in fact I'm pretty sure that most of the IT world.. other than the few kids that hate MS would agree with me.. I negged for stupid opinions and in your case for the next line in your comments.. About closing the thread... That's nothing but a blatent abuse of mod power... I'd like to point that out ot JupM at this time as well.. Abusing mod power by closing threads because they aren't going in his favour and suggesting to members that they leave this site and go join another Forum... that's definately not the action that should be coming from a Mod... Had it just been the first comment, that would have been cool... because Mods are also members and entitled to their opinions.. but as soon as you mix the two.. that's not cool.. a line must be drawn.

Peace,
HT

Hey Hey,

I forgot one thing.. The Canadian dollar is worth less than the pound or the American dollar so in reality it costs more for us..

Peace,
HT