A serious vulnerability that causes Internet Explorer to launch Firefox and execute a malicious payload is sparking debate about exactly who is responsible for the flaw.

The vulnerability, which was widely reported on security blogs, allows an attacker to remotely execute malicious code on a machine that is running IE but also has the Mozilla browser installed. By luring an IE user to a malevolently crafted site, the attacker can cause Firefox to execute the code without first vetting it for security.
http://www.theregister.co.uk/2007/07/11/ie_firefox_vuln/
:roll:

The end users are at fault for using IE in the first place. But that's just my opinion.

I think this problem originated with people who type M$ instead of "Microsoft" or "MS".

http://ubuntuforums.org/showthread.php?t=519877

now who would be using IE when they have Firefox installed?!

I think this problem originated with people who type M$ instead of "Microsoft" or "MS".
http://www.urbandictionary.com/define.php?term=micro$oft
):P:p

http://www.urbandictionary.com/define.php?term=micro$oft
):P:p

From that Urban(e?) Dictionary:


58 Reasons not to install Internet Explorer:

1. It is EVIL!!!!!!!!
2: It wastes over 100 megs of hard drive space
3: Despite what Bill claims, it's not really free. Each installed copy of IE costs exactly one soul.
4: IE has more bugs than a bait store!
5: Installing it automatically signs you up for the security hole of the week club.
6: It can send your personal information to Microsoft.
7: It's been known to bite people's heads off.
8: Its installation process overwrites system DLLs with newer version that are not always 100% compatible.
9: The majority of people still use Netscape.
10: Microsoft wrote it. Do you really need another reason?
11: It scares young children.
12: Borg implants tend to itch like crazy.
13: It's proprietary; they don't want you to know what's in it.Mozilla's source code can be downloaded for free.
14: IE is "integrated" in to Windows. Netscape is a well behaved application. When IE crashes it can hose the system. Netscape won't do that.
15: The DOJ isn't after Netscape.
16: ActiveX allows hackers to do ANYTHING with your system. That's not true with Java.
17: Microsoft's Java is not compatible with standard Java and vice versa.
18: Netscape Navigator is available for more platforms that Internet Explorer. Heck, IE 6 dosn't even run on Windows 95!
19: If the install fails it can leave your system unusable.
20: Internet Explorer is evil.
21: If the install succeeds your system will be unusable.
22: Who in their right mind would want to view their hard drive as a $#%#@ web page?!
23: Overactive desktop? What exactly does that *DO* besides slow down the computer anyway?
24: Yes, we all want advertising on our desktops don't we? Nuke the channel bar.
25: You will just love the oversized tool bars if you have a 640*480 screen.
26: IE 4 on Windows 95 is basically Windows 98. And you know what a mess Windows 98 is right?
27: It has been rumored that IE can cause modems to explode.
28: Both the installer and the uninstaller are about as stable as nitroglycerin.
29: Need to use IE 3 AND IE 4? Forget it, you would have to dual boot between browsers... because IE is part of Bills OS.
30: Remember that RAM upgrade you did a few months ago? Well, you will need more.
31: 50 megs free on drive C: and 5 gigs on drive D:? Sorry, it installs 98% of its crap in the Windows system folder on drive C:!
32: Did you ever notice how easy it is to mistype "IE 4" as "IE $". Or is "IE 4" the typo?
33: IE has been proven to cause cancer in lab animals.
34: Once Micro$oft has crushed Netscape, they will cease any attempts to improve IE. (Not that they have put much effort in to it as it is).
35: ActiveX is limited to IE on Windows95/98/NT. It won't work on Mac, Linux, DOS, Windows 3.1, etc. or with other browsers.
36: It will make your monitor spin and vomit.
37: Do you really understand the IE license in legal terms? You are now Bill's towel boy.
38: IE is so evil, even Satin won't use it.
39: Most web content is still developed for Netscape Navigator.
40: IE is such a smelly piece of crap, even Mr. Hanky won't get near it.
41: The web is based on open standards. Open standards are incompatible with Internet Explorer, or any Microsoft product for that matter.
42: If you care at all about the data on your hard drive you won't install it.
43: Microsoft forces people to install and use it through bundling and unnecessary integration. If it were really any good do you think they would have to do that?
44: AOL uses IE.
45: Did I mention IE is evil?
46: Each time a copy of Internet Explorer is installed, Bill Gates has an orgasm.
47: IE's full name, MSIE is pronounced "messy". Do you really want to be a "messy" user?
48: Because "Everyone is doing it". That is the wrong reason to do anything.
49: Because management thinks IE is good.
50: For businesses, IE and Windows 98 have no place in a business environment because of all the non-optional advertising and distracting bells and whistles.
51: Because only a couple of the entries in this list are jokes. The rest are TRUE.
52: Netscape Navigator / Communicator is STILL better than IE.
53: Netscape has a cool mascot, Mozilla. Microsoft has Evie the Evil "e".
54: IE changes the way your Windows 95 desktop works even if you don't install the "enhanced" desktop.
55: At various points IE identifies itself as being "Mozilla" compatible. Why use a bad clone when you can use the real thing instead?
56: Compaq ships business computers with Windows 95 (or NTWS 4), not 98 because many companies don't want 98 and it's mandatory browser.
57: When Compaq ships IE 4.01 on Windows 95, they include a nice little leaflet titled in big letters "Problem with Microsoft Internet Explorer 4.01 for Windows 95 - Computer Non-responsive on Shutdown"
58:All Micro$oft crap is well crap!!!

:guitar:

http://www.urbandictionary.com/define.php?term=micro$oft
):P:p

Because, as we all know, when someone else on the internet does something you just HAVE to copy them :)

Its both browsers fault, for internet explorer for allowing code to do that in the first place, and firefox for again having flawed security and running code that was delivered due to the IE payload

work with both companies and fix it for the benefit of the users is the best option,

Personally I think it's kind of interesting that two browsers would be used in the attack... that kind of limits the people who are going to be effected by this.

Personally I think it's kind of interesting that two browsers would be used in the attack... that kind of limits the people who are going to be effected by this.

not really

its *nearly* impossible to uininstall internet explorer. The most you can do is remove the link to it, but its still there as the system files are needed by a lot of programs throughout the operating system. The only way you can really remove it is to create a custom windows install disk and manually remove the IE files from the disk when you create it, and even then a LOT of things dont work.

but then they have to be running IE for this to work, and usually when people have firefox they dont use IE so i guess your right

I think this problem originated with people who type M$ instead of "Microsoft" or "MS".

Explain to me what's wrong with referring to the greediest and most self-serving, bullying and ignorant corporation on this planet as M$? I can think of a few names for them that are a lot worse.

Explain to me what's wrong with referring to the greediest and most self-serving, bullying and ignorant corporation on this planet as M$?
yep... i also don't have much sympathy for someone who on the one hand sues people their '*** off', once they are 'addicted' to *******...and on the other hand says this :

Today Gates openly concedes that tolerating piracy turned out to be Microsoft's best long-term strategy. That's why Windows is used on an estimated 90% of China's 120 million PCs. "It's easier for our software to compete with Linux when there's piracy than when there's not," Gates says.
http://money.cnn.com/magazines/fortune/fortune_archive/2007/07/23/100134488/index.htm
:twisted:

Bleh. I don't know many firefox users that use IE at all, if you have to use IE to trigger this then I guess its not that serious. I have two questions though about this, just for curiosity sake.

Is IE tab (https://addons.mozilla.org/en-US/firefox/addon/1419) affected by this? It lets you render a page inside firefox with the IE engine, I'm not sure if its modified at all so would it still be susceptible? Would that then open an entirely new firefox window or just a tab?

Second thing I'm curious about, is the malicious code/script javascript based? If so, wouldn't no script completely block the execution?

It's an interesting bug I'll say that, but I find it unlikely that many people will be visiting the right site with IE (especially since they have firefox) to get hit by this.

Explain to me what's wrong with referring to the greediest and most self-serving, bullying and ignorant corporation on this planet as M$? I can think of a few names for them that are a lot worse.

Frankly, it's annoying. It was slightly clever years ago when I first saw it. It's sort of a chicken-or-egg debate as to what came first: M$, Micro$oft, Microsh*t, Microshaft... you get the point. Fine, you don't like the company or what it stands for, we get it. You're already showing your displeasure by running an OS that isn't Windows. Just refer to them as Microsoft like any other adult would.

Internet memes on the other hand, they never get old...;)

This is more of an issue with Windows. I scarcely think that anyone is remotely concerned about vulnerability in Linux or even Mac.

Frankly, it's annoying. It was slightly clever years ago when I first saw it. It's sort of a chicken-or-egg debate as to what came first: M$, Micro$oft, Microsh*t, Microshaft... you get the point. Fine, you don't like the company or what it stands for, we get it. You're already showing your displeasure by running an OS that isn't Windows. Just refer to them as Microsoft like any other adult would.

Internet memes on the other hand, they never get old...;)
Seconded. By the way 'Microsoft' and 'Windows' are unpleasant words enough.

This is more of an issue with Windows. I scarcely think that anyone is remotely concerned about vulnerability in Linux or even Mac.

{Comment deleted}
I misunderstood your comment at first.

EDIT: Back to the he-said, she-said debate. Is it really that bad if it was, in fact, a security flaw in Firefox? The hole will be closed and the patch released shortly if it hasn't been already. If it had been a hole in IE, Windows users would be waiting around for months potentially before it was fixed. The power of open-source flexes its muscle again.

+1 for OSS

whens Microsofts next patch release scheduled?, first friday of next month you say? can i uninstall IE untill then? so what do i do till then? stfu and send you money for vista anyway?

whens Microsofts next patch release scheduled?, first friday of next month you say? can i uninstall IE untill then? so what do i do till then? stfu and send you money for vista anyway?

actually, i got some windows updates yesterday

2 of them were driver updates for my sound card and wifi driver

and during the installation process, windows blue screened, and kept blue screening every time it restarted before you could login

i had to go into safe mode, disable the hardware and uninstall the bad drivers and then reinstall the old known good ones.

and internet explorer CANNOT be uninstalled. if you, many programs that connect to the internet will no longer work.

Frankly, it's annoying. It was slightly clever years ago when I first saw it. It's sort of a chicken-or-egg debate as to what came first: M$, Micro$oft, Microsh*t, Microshaft... you get the point. Fine, you don't like the company or what it stands for, we get it. You're already showing your displeasure by running an OS that isn't Windows. Just refer to them as Microsoft like any other adult would.

Internet memes on the other hand, they never get old...;)

Actually, the really annoying thing is folks who allow something so silly to annoy them in the first place. It's just how some people choose to express themselves and it's really not anyone else's place to presume that it reflects on that poster's maturity level. Seems to me that a truly mature individual could let terms like M$ pass without comment because it really has no bearing on the state of reality anyway.

These various names given to Microsoft are never thrown around when having a rational discussion about Microsoft/Windows. These names only show up in the comments and threads of anti-Microsoft stories. Maybe I'm just on Digg too much and see M$, etc so much that it bothers me. It's sort of like that kid in grade school who thinks he's funny by refering to everyone by words that sound like or rhyme with their real name. It gets old really fast because 99% of the time, it's not clever.

Maybe I'm just on Digg too much

I see your problem now, its ok I suffer the samething. Digg has turned me into an angry troll who snaps at the simplest things.

and internet explorer CANNOT be uninstalled. if you, many programs that connect to the internet will no longer work.

I love it when people say to uninstall it. It's like trying to take the chocolate out of a glass of chocolate milk.

I don't even touch IE anymore.

I don't even touch IE anymore.

thats impossible...unless you don't use windows at all

I don't even touch IE anymore.

I don't use IE either nor do I use Windows.

It is panfully obvious that this bug is Mozilla's fault...

Mozilla may have fewer bugs, but of the ones we've seen...hehe...damn nasty...

Because, as we all know, when someone else on the internet does something you just HAVE to copy them :)
Because, as we all know, when someone else on the internet does something you just HAVE to copy them :)

thats impossible...unless you don't use windows at all

Almost. It's been at least 2 weeks since I last booted my Windows partition. And when I do use Windows, it's only Firefox.

Almost. It's been at least 2 weeks since I last booted my Windows partition. And when I do use Windows, it's only Firefox.

His point was that IE is used even if you're not USING it. Its built into the web capabilties of the Windows OS.

Frankly, it's annoying. It was slightly clever years ago when I first saw it. It's sort of a chicken-or-egg debate as to what came first: M$, Micro$oft, Microsh*t, Microshaft... you get the point. Fine, you don't like the company or what it stands for, we get it. You're already showing your displeasure by running an OS that isn't Windows. Just refer to them as Microsoft like any other adult would.

No, I'll call them whatever I like, I see no reason why I shouldn't refer to them by a name which doesn't violate the rules or offend anyone and expresses my opinion that they are greedy monopolists.

These various names given to Microsoft are never thrown around when having a rational discussion about Microsoft/Windows. These names only show up in the comments and threads of anti-Microsoft stories. Maybe I'm just on Digg too much and see M$, etc so much that it bothers me. It's sort of like that kid in grade school who thinks he's funny by refering to everyone by words that sound like or rhyme with their real name. It gets old really fast because 99% of the time, it's not clever.

Uhh, nobody said it was clever, I'm certainly not trying to be funny, I'm using it because I prefer to call them by that, and to me it represents what they are. I disagree with your first statement, I've seen it on numerous occasions in rational discussions.

---If the safe in a store was robbed while I (or anyone) was in the "said" store, I (or anyone else), might not be a suspect. If another safe was robbed while that same person (I* or anyone else) was in the store... yet again, one might go :-k and I (or they) may become suspect, even primary suspect. BUT when three safes are robbed and the same person is present during all instances, when does someone take their foot out of their mouth/!@#$ and shove it up someone else's !@#$ while telling them, "watch your head."):P?

---The same type of thing happened with AOL Messenger and Yahoo! Messenger regarding (malicious?) hording of an internet connection and/or OS. Remember this happening around 1997? When MSN was open, Yahoo wouldn't load and AIM wouldn't connect. The biggest snitch was that AOL and Yahoo! would run simultaneously, but when MSN was opened, the connection was lost or the program crashed. That was more than :-k and M$ said "It's AOL/Yahoo! not us"

---I myself believe him to be guilty of violating his own TOS and Federal law. There has always been a file buried in the MS OS that states something to the effect that 'the computer (or any part of the computer) should in no way be used in an act of terrorism or creation of a dirty bomb' and AFAIK, that file is in XP and more than likely can also be found in Vista. Now, this was solely referring to the internal components, but a law has now been passed regarding internet terrorism and I'd believe terrorism carried out in someone's home, against the user, by the developer, via their own PC would carry huge repercussions. LOL, ever see the movie Fatal Error? Even Robert Wagner paid in the end of that one.

---I'd like to know when he'$ going to get nailed to the wall for the things he has done. Whether he admits it or denies it, he walks every time. There has to be a line drawn somewhere, but I'm just not seeing it. Maybe the line was drawn with invisible ink because "certain" agencies depend on Microshaft and they can´t incarcerate him, because that ultimately would mean that he would be restricted from accessing computers as part of judgment. Favoritism? <closes the can of worms before they get out, and returns to trying to solve networking issues on his own PC>

now who would be using IE when they have Firefox installed?!

I do on occasion. Once in a while I'll hit a page that contains some IE-specific elements, i.e activex and I can't view the entire page. I will open IE and paste the URL to view it. Other than those relatively rare instances, I use firefox.