-
Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
Microsoft Not as Secure as they think they are...
- Thread starter Overseer
- Start date
- Status
I'd like to see how other OSes fair against security holes.
I just logged onto a Unix machine at school and I didn't enter my password right...and it let me in. wtf. I'm not keeping my programs on that anymore.
I just logged onto a Unix machine at school and I didn't enter my password right...and it let me in. wtf. I'm not keeping my programs on that anymore.
Lord Error
Insane For Sony
In all seriousness, IE seems to become less secure by every new major update. I love it and all, but it's just getting ridiculous. I find it incredible that after all these years and all these updates, there comes a virus that installs crap on your machine with your only action being to boot the machine, and connect it to the internet. Without even visiting a single site. I can accept any infection related to user stupidity, opening weird attachments and downloading crap, but viruses being pushed to the computer without any kind of user interaction, and OS/IE allowing that, it just boggles the mind. This JPEG explot is about as ridiculous, if not even more so. Next I know, virus will spread through the security hole in notepad, by opening the speciffically formatted text document.
ConfusingJazz
Member
Lord Error
Insane For Sony
I tried using Firefox, but it's the little things about IE usability that I just can't live without.
seismologist
Banned
The huge problem with Windows is spyware. I
If they dont find a fix for that they could could down in a hurry.
If they dont find a fix for that they could could down in a hurry.
Lord Error
Insane For Sony
It's the little things like how the address bar text behaves when I click / double click on the URL there, or how the cursor remains the text input cursor when I select the block of text in Firefox (instead of switching to a regular arrow and letting me know that I can drag that text and that it's not going to de-select if I click there trying to drag it). Or how the page shifts to the left if there's a dynamic html content there which makes the page all of a sudden exceed the height of the browser window, as the vertical scrollbar appears out of nowhere (whereas IE has reserved space for scrollbar even when it's not used, it just renders it as ghosted)
This one has nothing to do with IE.
It's a bug in an image manipulation and 2D rendering library (gdiplus.dll), which is used by all sorts of apps (including IE).
In basic concept, it's not a whole lot different than say, this bug in Qt:
http://secunia.com/advisories/12325/
Though the gdiplus.dll vulnerability is much more serious because it's used in one specific high profile app: IE.
It's a bug in an image manipulation and 2D rendering library (gdiplus.dll), which is used by all sorts of apps (including IE).
In basic concept, it's not a whole lot different than say, this bug in Qt:
http://secunia.com/advisories/12325/
Though the gdiplus.dll vulnerability is much more serious because it's used in one specific high profile app: IE.
Echoes of Pink
Member
"The corrupted JPEG images are indistinguishable from other images posted in the group, but contain a slightly modified version of recently released exploit code for the JPEG vulnerability called the "JPEG of Death" exploit, which appeared over the weekend, according to Johannes Ullrich, chief technology officer of The SANS Institute's Internet Storm Center."
:lol
:lol
clipunderground
Member
seismologist said:
Ain't that the truth. I work at a college and I can't tell you how many people I see with computer issues from hell due to spyware. Something needs to change.
Stuggernaut
Grandma's Chippy
Most people I know that have a lot of problems with Windows are just too stupid to know any better.
DarienA said:
What is with you and this constant harping about the connection. As if it's the root of every security hole known to man. You come into every thread about an IE security issue (almost always a buffer overflow that has nothing to do with 'the OS') and complain again and again about the same thing.
As if a buffer overflow cares what program it's exploiting. If the program has privileges, it can exploit them. IE, quite frankly, has no more direct privileges than any other program you run. The same damage could be done if Photoshop had an overflow in its jpeg handling.
Stick your head in the sand as if you don't know what the hell I'm talking IE is SATAN AND THAT'S ALL THERE IS TO IT!maharg said:
Regardless of the specific bug thread the fact of the matter is that MOST of the vulnerabilities of MS OS' be they directly related to IE or not are attacked THROUGH IE.
Even if this were the case the fact that you use IE to brows the web and not photoshop makes it the weak link.
I didn't say IE wasn't buggy, or that it was secure.
I simply want you to stop insisting that it's because of something that has *nothing to do with it*. It's like insisting that a car's engine always fails because the driver works for MS.
Indeed it is. And ANY browser is such a weak link. Whether they are more secure or not is a completely different matter. The point is, a buffer overflow exploit does not require that the program 'be tied into the OS' (which in this case is practically a meaningless assertion to begin with) in order to be effective. Capiche?
I simply want you to stop insisting that it's because of something that has *nothing to do with it*. It's like insisting that a car's engine always fails because the driver works for MS.
DarienA said:
Indeed it is. And ANY browser is such a weak link. Whether they are more secure or not is a completely different matter. The point is, a buffer overflow exploit does not require that the program 'be tied into the OS' (which in this case is practically a meaningless assertion to begin with) in order to be effective. Capiche?
maharg said:I didn't say IE wasn't buggy, or that it was secure.
I simply want you to stop insisting that it's because of something that has *nothing to do with it*. It's like insisting that a car's engine always fails because the driver works for MS.
Read one of the articles behind one of the links in that article.. better yet I'll paste a piece of it:
While the new exploits work when the JPEGs they create are opened in Windows Explorer, they only crash Windows systems when opened in Internet Explorer or Outlook. However, the scripts could be modified to work with most versions of Microsoft's operating system applications, Florio says.
http://www.pcworld.com/news/article/0,aid,117902,00.asp
Looks like it's related to IE to me...
EDIT:
See above.
You realize that when I say IE I'm speaking on the fact that the explorer.exe engine is used to browse the web as well as used by windows explorer for system browsing etc?
ARGH
Read please.
"Release a new version of IE that isn't so tied in to the OS as to call these types of issues?"
THIS is the bullshit I'm talking about. You constantly insist that the problem is that IE is 'so tied into the OS' and that fixing that would fix some substantial number of bugs.
How the fuck is it that you insist this in one breath, and then use a quote that says Windows Explorer of all things doesn't crash the OS when exploited, but IE does. How is IE more 'tied into the OS' than Explorer itself?
I don't give a flying fuck if you say IE is buggy or a security risk. What I'm asking you to stop doing is insisting it's for bogus reasons.
"You realize that when I say IE I'm speaking on the fact that the explorer.exe engine is used to browse the web as well as used by windows explorer for system browsing etc?"
You realize that *it isn't* right? iexplore.exe is a rather generic ActiveX Container application. It is capable of hosting both the IE browser control (and is designed for it) as well as pretty much ANY automation application that registers a url handler (eg. Acrobat, Word). This includes explorer.exe's own file browsing control.
If you want proof of that, you have only to look at your own quote of MS' documents on the security problem. explorer.exe isn't affected (or at least doesn't cause a system crash). And probably if you open iexplore.exe and browse to c:\blah\whatever where there are jpegs, it doesn't crash the system there either. It's the IE Webbrowser control that does.
Read please.
"Release a new version of IE that isn't so tied in to the OS as to call these types of issues?"
THIS is the bullshit I'm talking about. You constantly insist that the problem is that IE is 'so tied into the OS' and that fixing that would fix some substantial number of bugs.
How the fuck is it that you insist this in one breath, and then use a quote that says Windows Explorer of all things doesn't crash the OS when exploited, but IE does. How is IE more 'tied into the OS' than Explorer itself?
I don't give a flying fuck if you say IE is buggy or a security risk. What I'm asking you to stop doing is insisting it's for bogus reasons.
"You realize that when I say IE I'm speaking on the fact that the explorer.exe engine is used to browse the web as well as used by windows explorer for system browsing etc?"
You realize that *it isn't* right? iexplore.exe is a rather generic ActiveX Container application. It is capable of hosting both the IE browser control (and is designed for it) as well as pretty much ANY automation application that registers a url handler (eg. Acrobat, Word). This includes explorer.exe's own file browsing control.
If you want proof of that, you have only to look at your own quote of MS' documents on the security problem. explorer.exe isn't affected (or at least doesn't cause a system crash). And probably if you open iexplore.exe and browse to c:\blah\whatever where there are jpegs, it doesn't crash the system there either. It's the IE Webbrowser control that does.
maharg said:
Well then I apologize I'm not spewing information just for the fuck of it, I have been told by several people that whether you're using IE or Windows Explorer your running the same core engine.
My apologize.
Be less of a dick about pointing something out next time 'kay?
DarienA said:
Well it's not quite that simple, since the IE "engine" itself is broken up into pieces that other people can use whatever bits of they want.
Windows Explorer uses different pieces of the IE "engine", than the IE "browser" itself does.
Anyway, like I said above, this specific JPEG exploit is due to a bug in a 2D rendering and image manipulation library called gdiplus.dll.
This library is used by a lot of apps, including Windows Explorer, IE, Office, and tons of others, including 3rd party non-MS apps.
So strictly speaking, the exploit has very little to do with IE, apart from the fact that IE is probably the biggest victim of this bug.
- Status