Your browser may have trouble rendering this page. See supported browsers for more information.

This page shows the source for this entry, with WebCore formatting language tags and attributes highlighted.

Title

Don't Trust Me.

Description

<a href="http://www.slashdot.org/">Slashdot</a> reports in <a href="http://slashdot.org/articles/02/11/21/1317229.shtml?tid=172">Another Critical Microsoft Hole</a> that IE, once again, has a problem with granting ActiveX controls too many rights. This latest security flaw in Windows NT/2000 (not present in XP) is a really good as the best solution Microsoft can recommend is to <iq>...to make sure you have no trusted publishers, including Microsoft.</iq> (<a href="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-065.asp" title="Microsoft Security Bulletin MS02-065: Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution (Q329414)">Security Bulletin MS02-065</a>). That means you have to remove all the trusted publishers from your list, because the control at issue is actually signed and verified by Microsoft. They hesitate to simply disallow that control entirely, using something called a <iq>Kill Bit</iq> to get IE to ignore it, because so many sites hardcode for this particular control. How bad is the problem? <iq>This vulnerability is rated critical because an attacker could take over an IIS server or an Internet Explorer client and run code," Microsoft warned. "Any IIS server with MDAC and all Internet Explorer clients should apply the patch immediately.</iq> However, <iq>it is currently possible to make patched systems vulnerable again</iq>. As if you're not having enough fun applying patches yet. Of course, you could always just fork over the cash and upgrade to XP, which doesn't have the problem. To Microsoft's credit, they are being quite aggressive about solving this particular hole. Even to the point of coming up with the embarassing solution of saying that they can't be trusted. So, perhaps they do mean it when they say they are now a security company and start babbling about Palladium and DRM. They just mean they care about telling people about security holes, but don't actually intend to write decent software. Again, to be fair, this is not a problem on XP, and software does get better and more secure with newer versions, but it's hard not to be suspicious of their motives in changing from a company that invokes the DMCA for security flaws to a company that trumpets them. Perhaps the whole Trusted Computing movement needs to find a less ironic torchbearer, no? Perhaps Microsoft already knows who could provide these services. <a href="http://www.theregister.co.uk/content/4/28226.html">MS paper touts Unix in Hotmail's Win2k switch</a> on <a href="http://www.theregister.co.uk/">The Register</a> examines a recently unearthed study done by Microsoft's server division when they acquired Hotmail (which ran, and still runs, on OpenBSD). Even if they have a secure operating system, I would still wait until we see some behavior from them that isn't just embarassing. The Register again comes up with the scoop <a href="http://www.theregister.co.uk/content/55/28252.html">On the Microsoft FTP server leak</a>. Apparently, early in November 2002, they had an FTP server open, on which some employees had <iq>'published' files [with] an estimated 11 million customer email addresses and seven million snail mail addresses</iq>. Thank goodness I don't buy anything from them.