Its Official Microsoft is Insane

OldPueblo said:
Something occurrs to me and something Phoenix said in a different thread got me thinking this. I went back and re-scanned the article above and it wasn't immediately clear. It seems to me that MS is probably not updating IE in terms of the features, not security updates. The wording is tricky, but is it possible they are talking about the "security enhancements" like the pop-up blocker, the add-on manager, etc? I mean they are security enhancements, but not security patches. If someone finds out how to hack an OS older then XP but related to IE, MS I'm sure is going to fix it. I think they simply mean the "new" version of IE meaning the enhancements. If so, then that's not such a big deal. People still get security updates, and if they want to take advantage of newer browser security enhancements (blocker, activex, java, whatever), then they can snag FF or whatever else. I think MS is saying its now as if there were Win98 IE, Win2k IE, and now WinXP IE. And since WinXP IE is the latest one, its the only one they are going to continually update with enhancements.

http://www.microsoft.com/windowsxp/using/web/sp2_infobar.mspx
If Internet Explorer default settings are on, you'll see the Information Bar when a Web site tries to:
Install an ActiveX control on your computer.
Open a pop-up window.
Download a file to your computer.

How the Information Bar Works

Sometimes Web sites will display an ActiveX control or active content that may be potentially dangerous or try to download a file to your hard drive without your knowledge or permission. This is how many people accidentally get spyware on their computer. The Information Bar notifies you when it blocks this content and then lets you decide what to do

and the difference between spyware and malware is now so blurred its just shades of grey
its not the inconvience part that is the issue, they arent "enhancements" these are basic controls for ActiveX, and if not extended to the worlds most popular browser, as seen on some 200 million computers, is a huge security hole, (unless they disable ActiveX and WSH), the very reason there is the upgrade in IE to start with,

basically
"we got the fix, but if you aint goin to pony up for XP, we are going to leave you hanging in the wind, go get some other software to take care of that, or learn how to do it yourself
we arent responsible , so what if we integrated insecure subsystems into the shell"
 
Jumpin baby jebus... I gotta wrap my head around this one, but I think we *may be jumping the gun a little, well for two different reasons.

Give me a few, let me sift through some/all of this and I'll post back in a bit.
 
more fuel for the fire
Microsoft Changes Its Tune on Porting SP2 Fixes @ eweek
But this week, the Redmond software vendor issued a definitive statement regarding its back-porting intentions. The decision: No SP2 fixes—not even ones such as the SP2 pop-up blocker or the ActiveX control blocker—will be offered for users of older versions of Windows and IE (Internet Explorer).

full story > http://www.microsoft-watch.com/article2/0,1995,1650750,00.asp

Will Microsoft Offer XP SP2 Security to Older Windows? @ eweek

Microsoft Needs to Secure All Users—Period @ eweek
 
Could be worse, MS could revoke all license agreements with previous OS's to XP.

Then we couldn't talk about running win9x here anymore out of fear, you know, like the sticky in "Games & Gaming Equipment".

Think about it, even when they do support the old os's, alot of those 200 million users don't even apply the patches.

Why worry too, people here keep preaching you don't need SP2 if you have a good av and firewall, shouldn't the same be of the old OS's? :p
 
Riftgarde said:
Could be worse, MS could revoke all license agreements with previous OS's to XP.

and we could launch ICBMs at Redmiond too :p

it aint the AV or Firewall, those are largely besides the point
its the activeX in the browser & OS and other scripts

http://www.microsoft.com/technet/security/guidance/avdind_0.mspx
specifically > http://www.microsoft.com/technet/security/guidance/avdind_3.mspx
Malware Threat Vectors

There are a number of methods through which malware can compromise an organization. These methods are sometimes referred to as threat vectors and represent the areas that require the most attention in your environment when designing an effective antivirus solution. The following list includes the areas in typical organizations that are subject to the most risk for malware attack:
•

External networks. Any network that is not under the direct control of an organization should be considered as a potential source for malware. However, the Internet is by far the largest malware threat. The anonymity and connectivity that the Internet provides allows individuals with malicious intent to gain rapid and effective access to many targets to mount attacks using malicious code.
•

Guest clients. As the use of laptops and mobile devices continues to expand in business, devices are regularly moved in and out of other organization's infrastructures. If guest clients do not have an effective antivirus defense in place, they represent a malware threat to the organization.
•

Executable files. Any code that has the ability to execute can act as malware. This includes not only programs, but also scripts, batch files, and active objects such as Microsoft ActiveX® controls.
•

Documents. As word processors and spreadsheet applications have become more powerful they have become targets for malware writers. Macro languages supported within many applications make them potential malware targets.
•

E-mail. Malware writers can exploit both e-mail attachments and active Hypertext Markup Language (HTML) code within e-mail messages as attack methods.
•

Removable media. File transfer via some form of removable media is an issue that organizations need to address as part of their antivirus defenses. Some of the more common removable media include:
 
The last line was sarcasm, I'd say complain about Windows 2000 the most since it's right before XP. W2K showed me how ass Win9X was. If it wasn't for W2K I might be using Linux today.
 
Rogue4mula said:
you do that, and I die of radiation poisoning :eek:

well, they dont have to be armed with nuclear warheads
I guess we could just stuff em full of limburger cheese :p

but the nukes would be more humane :p
 
How long do people expect Microsoft to provide updates and patches? Hey lets sue them for not putting out anymore DOS updates too!! They can't do it for forever like everyone wants. I say just upgrade to XP as its much better than any of its predecessors anyways. New versions of Windows are meant to upgrades to older versions anyways. Its like bitching to Id Software for not patching Q2 anymore.
 
BoogerBomb said:
How long do people expect Microsoft to provide updates and patches? Hey lets sue them for not putting out anymore DOS updates too!! They can't do it for forever like everyone wants. I say just upgrade to XP as its much better than any of its predecessors anyways. New versions of Windows are meant to upgrades to older versions anyways. Its like bitching to Id Software for not patching Q2 anymore.
You do realize that people are pissed that they (orginally) dropped support for Win2k Pro which is virtually identical to XP. It's just IE so what makes IE on XP so different then IE on 2K Pro or even on Win98? No one is talking about SP's and other patches.
Maybe you should have actually read what going on before you posted. :rolleyes: Go back and read the first post please.
 
BoogerBomb said:
How long do people expect Microsoft to provide updates and patches? .

for as long as a substantial portion of the population is employing the none secured OS\browser
and thus attacking the rest of us, because they no longer control their machines

and if that was happenning on DOS boxes, Id be screaming about that right now too :p

a simple .bat file download would disable WSH and ActiveX
what exactly is so hard about that?

either secure it, or make it go the @#@#$%%$@# away
I hope there is some programmer in Czechoslovakia coding a super worm to do just that
if so I nominate him for a Nobel Prize
 
CrimandEvil said:
Hopefully this will lead to people on older OSs to move from Explorer to something else (like maybe Firefox ;) ) but yes this is incredibly stupid to give everyone the finger and tell them to upgrade to XP if they want to continue using IE at the very least it's insane for them to say that to 2K Pro users since it's pretty much XP anyways.

Hell I don't even use an older Win OS nor IE (XP and Firefox) but this still impacts me since it leaves ALOT of people vulnerable to exploits/virus/etc and I don't want to get something from them.

Thanks alot Billy boy :rolleyes:

But thats not what Microsoft is saying. They are essentially saying that Internet Explorer 'enhancements' are not being distributed to Non XP operating systems. Such enhancements as a pop-up blocker, etc. They are still supporting it on OS's that they still support over all, but not on Win 95. Security updates will still be distributed to those OS's. Its just enhancements that they are talking about.

Cheers,
 
Just because its a program of the same name doesnt mean that it works exactly the saem way as it does on other versions. XP's codebase was brand new from 95/98 right? IE is said to be integrated into XP right? I can understand 2kpro users complaining, but not people with 95/98 as I doubt the browser uses the same code as the newer versions.
 
Eigtball said:
But thats not what Microsoft is saying. They are essentially saying that Internet Explorer 'enhancements' are not being distributed to Non XP operating systems. Such enhancements as a pop-up blocker, etc. They are still supporting it on OS's that they still support over all, but not on Win 95. Security updates will still be distributed to those OS's. Its just enhancements that they are talking about.

Cheers,

Spin it all they like, but that isnt an "enhancement"
failure to notify a user that they are unknowingly, inadvertantly or inadvisably
installing or downloading potentially malicious code, script or executable

IS A FLAW


the fundemental flaw and infection vector most spyware is based on
and some serious malware as well
 
No I think of that as common sense. With all the attention on security lately there is no reason for people not to know things like that. For as long as I can remember IE has always told me that such software can be potentially harmful before I downloaded it.

People just need to stop thinking of computers as something secondary to have to learn about and know that there is more to them than just pushing the power button. If thats the extent of their knowledge then they dont need one. We can't keep on trying to make them idiot proof.
 
/me checks his zdnet tech update.... holy hell... fuck micrsoft... wtf... i can understand win95... but 2000?!?!

i went back to IE after trying firefox and i didnt like it... maybe it was firebird then...
 
Ice Czar said:
Spin it all they like, but that isnt an "enhancement"
failure to notify a user that they are unknowingly, inadvertantly or inadvisibly
installing or downloading potentially malicious code, script or executable

IS A FLAW

?? the pop-up blocker doesn't block malicious code, its the underling subsystem of IE that allows it. What I can see is those sorts of things are still being address for earlier versions of their OS.

But just to show that I am not biased see here

proof.jpg


cheers,
 
OK... Let me play a different kind of devil's advocate, because I think somethings are getting blown out of proportion, like OldPueblo said (drag my ass into this... I see. ;) ).

First, consider the writers have it wrong and are taking things out of context. I don't see any direct MS quotes that support their conclusions. Let's take a close look at the quotes and statements.

Microsoft affirmed that its recent security improvements to IE would be made available only to XP users.
"We do not have plans to deliver Windows XP SP2 enhancements for Windows 2000 or other older versions of Windows," the company said in a statement. "The most secure version of Windows today is Windows XP with SP2. We recommend that customers upgrade to XP and SP2 as quickly as possible."
OK. Improvements and enhancements are not fixes. Adding a firewall, for ex., is an improvement, or enhancement to security, but doesn't 'fix' anything that was broken. Same with the infobar, ActiveX still operates the same with and without the infobar. There is no fix in SP2 to ActiveX that isn't available to other OSes, AFAIK. ActiveX can also be disabled.

The ongoing security updates do not, as Microsoft points out, include the latest security fixes with Service Pack 2, released last month. Those include a new pop-up blocker and a new system of handling ActiveX controls and downloaded content.
Oops, now they have switch terms... Now they say fixes. WTF, just a second ago it was enhancments, oh wait, that was the direct quote from MS, and this is the authors term.

Look at the way the author paints everything, he seem very anti-MS.

My take, people are jumping to conclusions... Sort of. ;)

So, we can play word games all day, and perhaps MS is doing JUST THAT!!!

OK, so technically they are not patching the OS, they are adding layers of security, so the fix itself isn't needed. ActiveX broken? No problem, add infobar, now XP users are warned about activeX before it's installed. Did they fix activeX? No. So they are not providing that security fix to other OSes, because it's NOT a fix. They could tell 2K users to enable prompt for every activeX item and get the same security level. It would just prompt MORE than XP.

So the end result, is other OSes will be just as secure, just not as friendly. I believe they WILL continue to provide actual file fixes to lower OSes, just not the new security ADD-ONS to IE in SP2 for other OSes. It's a BIG difference.
 
http://www.adoko.com/activex.html

ActiveX technology was developed by Microsoft for Internet Explorer. The ActiveX object can be placed within a webpage, and works differently from Java as the code is distributed as executable files, and therefore only work on one platform. There are major security risks regarding ActiveX objects. With Java you would have appropriate policies settings in place to prevent java applets from doing intentional harm to your system. For example, Java applets can't read or write from a local drive on your computer. ActiveX however, has none of these, they can literary do anything to your system. The security of an ActiveX Object replies solely on the digital signature (called code signing). An ActiveX object must be distributed by a valid Certificate from a CA like Verisign. The developer of an ActiveX object states that the software is free from viruses and other malicious components when the certificate is given. It is therefore down to the user to try and judge whether the code is safe of not.

An unsafe ActiveX control is when there is a problem with the certificate (ie. not valid), or it has not been signed at all, otherwise the control is marked as safe. Whereas the Certificate can prevent scripts been distributed anonymously or being tampered with it cannot insure exactly how safe the code is. However the system can work as any known malicious scripts will have a known source. If it is reported to the CA that this code is not safe they will most likely revoke the certificate. However this will not stop scripts from being available, it can still be accessible but as an unsigned ActiveX control.

However this leads to a problem, the maliciously coded controls might not be obviously harmful. For example, the ActiveX object could secretly record all form data you fill in and send them secretly or plant a virus on your system. It's possible that the cause, in this case the ActiveX control, will never be "discovered" and therefore might never be marked as unsafe and left to stay and damage more systems.
ActiveX and Spyware

Most spyware programs at present use ActiveX Objects to install themselves onto your system. They're scripts are usually signed as well. The reason is because they explain everything in the disclaimer (although sometimes a long read). Therefore, it's not strictly illegal what they're doing so their certificates tend not to get revoked. This is the main problem as to why Spyware get installed unintentionally. People see the Security Warning and don't treat it as a warning but as a sign of approval by Verisign of whatever other CA approved it. Really the only thing stopping the spyware getting installed will be the user not clicking "yes" to accept the download. The best situation for the Supplier of the spyware would be that the user has low security settings and therefore bypass the security warning completely (making it a drive-by install), this could happen if the security settings are set to "enable" instead of "prompt" for the signed ActiveX objects, I'm sure some users have this security setting that aren't sure on what to set it to.

I think the problem of users installing it unintentionally will remain an on going problem, either the law has to change or the way ActiveX objects work have to be reconsidered. The fact that it's not illegal makes it acceptable by the Certificate Authorities view so they therefore provide a valid certificate, making it a signed script and therefore, wrongly considered by some to be always safe.
BoogerBomb said:
No I think of that as common sense. .
you actually used the words "common sense" to describe the general public? :p

CoolWebSearch is winning Trojan war


http://www.wilderssecurity.com/archive/index.php/t-30811.html
Gavin - DiamondCS
May 5th, 2004, 06:59 AM
I can't believe theres no law - none of us can. What can any single one of us do ? Nothing. Ask Eugene (Kaspersky) about the latest, its heavily encrypted. Very very nasty. Noone spotted it for a while, I doubt anyone has the actual scripts yet because it is installed from sites - scripts are server side and lots can be hidden. What can WE do about this ? As we all add detection we are not stopping the CAUSE of the problem, having IE run in full standard install-whatever-you-want-website mode. Stopping this should be what we tell users, if they have to format to remove whatever "adware" they have on their machine they should write to their leaders and demand action ;)



>>>>Gratuitous Movie qoute<<<<<
""A real killer would have asked what that little red button was for"
>>>>>>>>>>>><<<<<<<<<<<<<<

IE has a little red button, and no kiddy level instruction manual
we pay the consequences, and yes I call that a flaw
 
Ice Czar said:
IE has a little red button, and no kiddy level instruction manual
we pay the consequences, and yes I call that a flaw
And SP2 didn't fix that button, it put a glass cover over it which you must remove before pushing it. W2K can have a blanket thrown over that same button (prompt on activeX, hell, disable activeX). It's less visible with the blanket vs the glass cover, but the button has never moved.

I see this as a move to ignore certian flaws by saying 'there is a security blanket instead, cuddle that,' and ignoring the base flaws in activeX that allow these exploits in the first place.
 
all of SP2 is that way
but the in your face prompts are exactly the educational tool required
there should actually be a little red button on the browser that is reset with a timer

this one > noscript.exe (direct download)
http://www.symantec.com/avcenter/venc/data/win.script.hosting.html

and right next to it a re-enable ActiveX button also on a 10 second re-disable timer

I think the average user needs to click four maybe five buttons to install an ActiveX control
and there should be flashing lights and a siren too :p

here is another button to integrate
BHODemon


however I conceed the point we arent talking about an exploit
its a user interface flaw, and a technology flaw
 
So if it's not an exploit they are fixing, and this is the fine line MS is walking, then they truly are offering new features. However I do not like the idea that the new security features prevent some of the worse malware may not be available to so many people. I mean MS' position could be 'hey we don't have to offer new software to an OS' but that's exactly what they did with SP2. They added a LOT of new software to the OS, so that excuse doesn't exactly fly for W2K.

So here's the crux. Does MS fix activeX, or does SP2 'fix' activeX, and they leave it alone?

The former grants previous OSes the fix, the latter, may not.
 
Not to re-open, but here's an interesting and relevant read http://www.windowsitpro.com/email/windowsitpro/index.cfm?d=040928. The interesting part is that this guy is normally very pro MS. Not because he is a fanatic or anything, but because he understands them (like I do :p ). I'm still of the opinion that everyone should be planning their WinXP migration if they haven't already (and if they can afford it since it will be around a long long time), but he makes a good point that if Win2k is fully supported till 2005, it shouldn't be left out of any type of major updates.
 
I think this is a very worthy topic here...

Basically MS is putting the screw to non-XP customers. I can kinda understand W9x kernel OSes, but fuck they RECENTLY extended support for those OSes. That's not even opening the can-o-worms that is W2k, I know a lot of companies still rolling out W2k and have (until now?) had no plans to load XP.
 
actually I think this topic is immaterial to a particular kernel
anything that can run IE is really the issue (barring emulation)
its the ActiveX technology itself,
they have handed out blasting caps to a kindergarden class
they simply dont want to own up to the shortcomings of the technolgy
its is an extremely dangerous but useful tool
they have failed to communicate exactly how dangerous it is the the general public
having added another layer of protection and calling it a "feature" is disingenuous
not extending it as a integral part of IE is reprehensible

if all ActiveX controls where intercepted regardless of the security settings
and the simple word
DANGER applied
dont you think people might actually read those things?
 
Ice Czar said:
if all ActiveX controls where intercepted regardless of the security settings and the simple word DANGER applied dont you think people might actually read those things?

Unfortunately, no.
 
jstnomega said:
Unfortunately, no.
I agree. There is no end to the risks people are willing to take online. Warnings are meaningless to the masses. I see it everyday. :(

Ice Czar said:
...they have handed out blasting caps to a kindergarden class...
Well said.
 
Back
Top