The Electrical Contractor Network

ECN Electrical Forum
Discussion Forums for Electricians, Inspectors and Related Professionals

Books, Tools and Test Equipment for Electrical and Construction Trades

Register Now!

Register Now!

We want your input!

Featured:
   

2017 NEC and Related
2017 NEC
Now Available!

   
Recent Posts
Correct rotation, wrong sequence
by Potseal
Yesterday at 03:14 PM
Industrail Control Panel bonding per 409.108
by sparkyinak
12/09/16 06:29 PM
Calling all Non-US members!! (Non-US only)
by aussie240
12/07/16 02:39 AM
Photo Upload Tutorial
by DanK
12/06/16 11:35 PM
Sprinklered equipment 26-008
by bigpapa
12/02/16 04:24 PM
New in the Gallery:
12.5A through 0.75mm˛ flex (just out of curiosity)
Shout Box

Top Posters (30 Days)
gfretwell 11
HotLine1 10
Potseal 9
sparkyinak 8
Texas_Ranger 7
Who's Online
1 registered (geoff in UK), 205 Guests and 5 Spiders online.
Key: Admin, Global Mod, Mod
Topic Options
Rate This Topic
#125322 - 11/17/04 04:14 PM Yet again...
jooles Offline
Member

Registered: 09/18/04
Posts: 98
Loc: brussels, belgium
This is yet another example of the sort of thing that causes me to rant and rave at people to try to get them to switch to alternative browsers from MS Internet Explorer.

So. You've followed all the rules. Not opened any dodgy attachments, spent a small fortune and hours and hours downloading all the AV signatures, and so on.

Yet, nevertheless, this happens.

====

SECUNIA HAS ALERTED its customers to three holes in Microsoft Internet Explorer, two of which are moderately critical.

The moderately critical holes, discovered by Cyber Flash, allow the bypassing of security features in Windows XP SP2 on downloading files of particular types.

Another error means that when saving some documents using the Javascript "execCommand() function a file extension can be spoofed in the Save HTML Document dialogue, Secunia said.

The solution to these two problems are to disable Active Scripting support and the "hide extension for known file types option".

There's a demo of these problems, here.

The third, less serious hole is a Cookie path attribute problem if trusted sites support wildcard domains or the domain name contains a malicious site domain by using a maliciously crafted path attribute.

Users with Windows XP SP2 are not affected by the last problem. The solution is to disable cookies except when they're needed, or to update to Windows XP SP2.

====

This was reported at http://www.theinquirer.net/?article=19737
It is generally a good source of info about viruses etc.

The moral is to use Mozilla or Firefox and to always install servicepacks if you are using Windows.

As a reminder.

Firefox can be obtained at
www.getfirefox.com

Mozilla, which can also replace Outlook Express as a mail reader, as well as offering a proper WWW browser, is at
www.mozilla.org

To use MS Update to get the latest servicepack, at present you *do* need to use IE. Start IE, do Tools -> Windows Update, and follow the instructions. This is a *large* update and not realistic if you don't use broadband. Modem users can ring Microsoft Help and/or go to their local computer store, and free CDs are available. In fact I got a few extra CDs just to give to pals of mine that are not on broadband. Every little bit helps.


If you think it is *outrageous* that MS is helping the world of the internet to decay by denying a proper update facility to users of other browsers, then join me and millions of others in writing to them to tell them so. This is too important to let go of.

Good luck and stay virus-free.



[This message has been edited by jooles (edited 11-17-2004).]

Top
#125323 - 12/01/04 12:30 AM Re: Yet again...
Big Jim Offline
Member

Registered: 07/18/03
Posts: 377
Loc: Denver, CO USA
The fact is that Internet Explorer is a part of the Windows operating system. Do you really expect full functionality from a system if you disable part of it? While it may be a POS in general, it is a part of the operating system required to upgrade that system. There are a lot of things I don't like about MS but requiring you to use their provided utility to update their system is quite reasonable. If I were directing their security, there is no way I would let some program I didn't control have unfettered access to repair security problems. In summary, Waah! I cant fix my OS because I refuse to use the tools they give me to fix it.

Top
#125324 - 12/03/04 08:16 PM Re: Yet again...
jooles Offline
Member

Registered: 09/18/04
Posts: 98
Loc: brussels, belgium
> The fact is that Internet Explorer is a part of the Windows operating system.

The underlaying API for IE being intermingled in the general OS code is indeed an ugly truth and at the root of a lot of the insecurity problems that Windows users face. Very poor software design, in my opinion, and it appears to have been done purely on a commercial/political whim rather than for any technical reasons.

>Do you really expect full functionality from a system if you disable partof it?

Before I answer this, please first would you remind me when where and what did I advocate disabling, exactly? Are you having a joke?

What I *did* suggest is to install and to use an alternative browser and mail client instead of using the Microsoft products, because those have flawed security models, and their very bad track record in normal use bears this out. However, simply /not running/ the MS applications because I am using (let's say) FireFox and Eudora mail, would not normally be construed as /disabling/ MSIE and Outlook, or would it?


>While it may be a POS in general, it is a part of the operating system required to upgrade that system.

This requirement, though, turns out to be the case purely for political reasons, which is precisely why I find it irksome. There is no solid technical requirement, none whatsoever, for updates to operate with Internet Explorer only.

The purely technical requirements to upgrade the system are quite simple -- some means to copy the patch files from the vendor to the destination disk (for example either a CD or a network file transfer) and a little utility to retrieving and comparing the file version information for each file (call to the win32 API called GetFileVersionInfo), copy the file if necessary, and when a newer file was required update the corresponding registration keys by calling the win32 registry API (RegLoadKey or something like that). I could easily do that for you in about two screensful of Perl, or a little bit more of VB script or C, never mind all this requiring to have Internet Explorer running. Neither of those APIs belong in the classes of calls that Internet Explorer registers at its installation time, so therfore IE is superflouous to the Windows Update mechanism.

> There are a lot of things I don't like about MS but requiring you to use their provided utility to update their system is quite reasonable.

Yes, but on what grounds is it reasonable? The most important thing of all, not just for Windows users but for ALL users of the public networks, is to make the patches available as widely as possible, wouldn't you say? By deliberately restricting the method of deployment, which is exactly what they are doing by including a line of code in their updates page to check the browser version, and _then_ _disallow_ _updating_ if not Internet Explorer, they are narrowing rather than widening availability, or are they not?

In my opinion, there is nothing reasonable about that decision of theirs after all.

> If I were directing their security, there is no way I would let some program Ididn't control have unfettered access to repair security problems.

Tell me why that is, then, if you please? I think it is just founded on a superstition that you hold, rather than there being any solid technical reasoning for it. I certainly don't know of any credible evidence that the use of the Internet Explorer browser to deploy security patches has augmented Windows security, as opposed to any putative alternative scheme where the patches would be rolled out with (for example) Mozilla, but if you have any good reasons to support that theory I'd be very interested to learn more about them.

If it were really true that the best way to keep an operating system secure is for the vendor to control the tools that deploys OS patches, which I think is what you are telling us here, then how do Unix systems, which use third-party mechanisms such as 'apt-get', 'rpm', and the 'patch' utility, /all the time/ to install their updates, manage to keep their integrity? Because in normal use, security breaches on Unix are quite a rarity, rather than the norm as they are in Windows, and that's even despite the fact that Unix comprises the *majority* of server-class machines that are exposed to public networks (about 65 per cent of web servers were Apache, deployed on some sort of a Unix platform, in a recent Netcraft survey). And *all* of those unix installations will have been patched and updated by tools that the Apache project, Novell/SuSE, Red Hat, IBM, SUN and the rest of the server application vendors /did not/ develop or control.

>In summary, Waah! I cant fix my OS because I refuse to use the tools they give me to fix it.

In summary, Waah! you are proposing utter lunacy is more like it, because that is most emphatically NOT what I said, not at all. Did you not take in the sentence where I mentioned the fixes are available on CD and that in a fit of enthusiasm I even got extra copies of them to give out to friends? So, can you tell me where is the "I refuse to install OS patches" sentiment in that, please, because I seem to be missing it.

Moreover, if you would kindly spend a couple of minutes checking the Computers and Internet forum you can easily find SEVERAL other postings of mine where I repeatedly, and transparently, reminded some of the people who were discussing viruses and so on how important it is to ALWAYS install the latest patches.



[This message has been edited by jooles (edited 12-03-2004).]

Top
#125325 - 12/13/04 02:34 AM Re: Yet again...
Big Jim Offline
Member

Registered: 07/18/03
Posts: 377
Loc: Denver, CO USA
You can expound all you want but it is Microsoft's program and they have a perfect right to write it any way they wish. When they create an update method, they are in no way obligated to explain or justify it to you. You have perfect freedom to not use their products but you have no logical right to try and alter their design philosophy. They continue to do things the way they do simply because it works for them. It has made them the largest software provider in the world. If you really think you deserve a voice in how your software runs, move to an open-source operating system.

Top
#125326 - 12/13/04 08:56 PM Re: Yet again...
trollog Offline
Member

Registered: 10/02/04
Posts: 273
Loc: San Diego California USA
Thats why I dumped M$ and now use linux!

Top
#125327 - 12/13/04 10:01 PM Re: Yet again...
Big Jim Offline
Member

Registered: 07/18/03
Posts: 377
Loc: Denver, CO USA
And that's exactly the way to do it. Crying about MicroSoft and still using their products accomplishes nothing. The ONLY thing that can make them take notice is loss of market share. Do you think Gates and his top aides would be running all over the world pitching Windows if Linux wasn't a threat?

Top
#125328 - 12/14/04 10:28 AM Re: Yet again...
jooles Offline
Member

Registered: 09/18/04
Posts: 98
Loc: brussels, belgium
There you go again, making more false assumptions

My home computer is a Sun sparc box running solaris

My work is developing software for Apple Macs so I use OSX on apple hardware

Where is this 'using Microsoft and crying about it' coming from? Because I rarely do use any of their software; you are merely imagining that I do

Top
#125329 - 12/16/04 12:57 AM Re: Yet again...
Big Jim Offline
Member

Registered: 07/18/03
Posts: 377
Loc: Denver, CO USA
For some reason, up to this point in the discussion, you have chosen to conceal the true nature of your involvement in the computing world. You seem to try and give "professional" level advice about a system you have chosen not to use. Irrespective of your alleged technical arguments, the marketplace has given Microsoft a 10 to 1 market advantage over the system you make a living at. That would seem to indicate that you are in tiny manority in your views and opinions. I am
almost all Microsoft at home (except for the SGI O2 we play with occasionally)because it matches what I am required to use at work.
I purchased my first PC clone in the mid 80's and, even though I now have DSL access at home, I have NEVER had a machine seriously compromised.
I think we agree that it is necessary to continually practice Safe Computing, regardless of your hardware and software.

Top
#125330 - 12/16/04 11:15 PM Re: Yet again...
jooles Offline
Member

Registered: 09/18/04
Posts: 98
Loc: brussels, belgium
http://electrical-contractor.net/ubb/Forum8/HTML/000002.html

I concealed precisely nothing. That was posted there ages ago, and you could have read it, but instead you preferred to base your rather personal attacks on false assumptions rather than the facts.

Using your duff logic of popularity, then MacDonalds would be the best food for us to all eat. Nice one.

I can make a living as I have said elsewhere on Unix, Windows and mainframe platforms. Doing software engineering on Windows is horrible, and since they started changing their APIs every two years there is no longer any money to be made at it; the extra costs of continuous retraining and having to buy new development frameworks etc swallow up the too much of ones earnings. So that is why these days I stick to unix. Nothing to do with "alleged" anything. I have been doing so for getting on for 25 years: the advice I have given is best industry practice and I feel perfectly happy to give it.

Of course I want people to practice safe computing; I also want the general standards to be raised, and one thing that light help this to happen is by requesting the feature I said of Microsoft, to make updates of the latest patches more easily accessible. Far better I think than bringing everyone to the lowest common denominator, which would appear to be your preferred way to go about it. MS *does* listen to change requests like this if enough people all ask for the same thing.

Top



ECN Electrical Forums - sponsored by Electrical Contractor Network - Electrical and Code Related Discussion for Electrical Contractors, Electricians, Inspectors, Instructors, Engineers and other related Professionals