Stop Microsoft
Miscellaneous => Applications => Topic started by: Zombie9920 on 1 May 2002, 21:13
-
An Israeli software firm has discovered a flaw in Netscape and Mozilla software that allows code hidden in a Web page to read files from the user's PC. The bug is a more serious variant of one patched in Microsoft's Internet Explorer in February.
GreyMagic Software reported that the problem affects XMLHttpRequest, which allows Web pages in the browser to send and receive XML data via HTTP, the standard Web transfer protocol. XML is an Internet language for describing just about any sort of data.
Full story here. http://zdnet.com.com/2100-1104-896099.html (http://zdnet.com.com/2100-1104-896099.html)
Mozilla is just so great let me tell you. ;P
[ May 01, 2002: Message edited by: Zombie9920 ]
-
Thank god I don't use an insecure OS like windoze!!! That gives permision to any program to access files so easely.
Windoze is SO great let me tell you ;P
-
quote:
Originally posted by psyjax:
Thank god I don't use an insecure OS like windoze!!! That gives permision to any program to access files so easely.
Windoze is SO great let me tell you ;P
It isn't so much that Windows is unsecure. It is more like the Mac users to Windows users is like 1 to 100 so people don't take thier time to exploit Mac flaws.
-
quote:
Originally posted by Zombie9920:
It isn't so much that Windows is unsecure. It is more like the Mac users to Windows users is like 1 to 100 so people don't take thier time to exploit Mac flaws.
Find the flaws in FreeBSD
-
See, Zombie won't answer that because he knows FreeBSD is far, far more secure than his Windoze XP he keeps screaming about.
-
quote:
Originally posted by psyjax:
Find the flaws in FreeBSD
A few FreeBSD flaws.
http://www.linuxmax.net/news/00640.html (http://www.linuxmax.net/news/00640.html)
http://www.sans.org/topten.htm (http://www.sans.org/topten.htm) (there are suggested solutions to the flaws mentioned on this page..keep in mind that BSD is a Unix system)
http://online.securityfocus.com/archive/1/72698 (http://online.securityfocus.com/archive/1/72698)
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=209141+0+archive/
1998/freebsd-security/19981115.freebsd-security (This one is about NetBSD...but is BSD nonetheless)
All OSes have flaws...learn it and live it buddy.
<edited purely to make it fit horizontally on the page - Calum>
[ May 02, 2002: Message edited by: Calum ]
-
as for your first link:
quote:
The squid port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains thousands of third- party applications in a ready-to-install format.
so the flaw is in third party software. You seem to make a habit of arguing about an operating system based on the third party software available for it. why not stop doing that since it's pointless and useless?
re: your second link, the only mention of BSD i could find on the page was a link to this page (http://www.freebsd.org/security/) which is a guide to how to configure your BSD so it's as secure as possible. Hardly a flaw. Keeping in mind that BSD is a UNIX system is irrelevant here, since the page you linked to seems to claim at least as many windows security risks as any other system.
regarding your 3rd link, quote:
The CVS code was not even designed to be a
secure subsystem, let alone audited to ensure that it is one.
this is a post from a guy saying CVS is not secure, and someody else saying it was never meant to be, but incidentally it can be made fairly secure even though that is not its job. Again, hardly a BSD flaw, is it?
Your last link need only be clicked and read to find out just how unconnected with BSD flaws it really is.
It's a thread entitled "Would This Make BSD More Secure?". Hardly a flaw that people are always trying to make it more secure is it? unlike Windows NT. If they had a similar bulleting board, it would be full of threads with names like "How Can We Fleece The Punters Out Of Even More Dough Without Actually Putting In Any Real Effort?"
This was a pretty poor effort, even for you.
Lastly, here's a link which i think is relevant here:
www.zombie9920.com/myresume/ (http://pseudodictionary.com/search.php?letter=f&browsestart=540)
[ May 02, 2002: Message edited by: Calum ]
-
Granted, this is an old story, but the magnitude of this security hole is not to be underestimated:
http://www.pcworld.com/news/article/0,aid,93803,00.asp (http://www.pcworld.com/news/article/0,aid,93803,00.asp)
Though it has been patched. The fact that M$ let such a thing slip thrugh it's fingers is inexcusable IMHO. Casts doubt on their products as a whole.
Furthermore, this hole has nothing to do with 3rd party software or improper configurations on behalf of the user.
But M$'s own software that is constantly thrust upon it's users proves to be security risks within themselves. Take for instance the legacy of Lookout Express. Aparantly the years of viruses and system holes has done little to remedy it's vulnrability:
http://www.infoworld.com/articles/hn/xml/02/04/02/020402hnxpflaws.xml (http://www.infoworld.com/articles/hn/xml/02/04/02/020402hnxpflaws.xml)
Ultimately however, the question of flaws in security, despite which OS is more secure. Is made void by the fact that you have to relly on M$ for a security patch if something is found. Hell, they may even make you pay for that patch, and it may take weeks for it to be released.
With BSD, and even OSX considering that the kernel is open source, you could allways patch the hole yourself. Get the word out in to the comunity and have the hole patched in record time if you don't have the resources. Plus, it will be free and good, because everyone is benifiting from it.
EDIT: Incidently. The bug has been squashed in the latest NIGHTLY Mozilla Build.
[ May 02, 2002: Message edited by: psyjax ]
-
As opposed to M$'s tiny list of security holes:
http://www.trustworthycomputing.com/ (http://www.trustworthycomputing.com/)
-
The original topic was that Mozilla and Nutscrape having a huge hole. No software is perfect and flawless. IE may be flawed, but so is Nutscrape and Mozilla.
-
You can't be serious if you think Netscape/Mozilla has problems anywhere near IE. Maybe you should go do a little more research.
-
Hmmm and the bug is fixed moron... read it next time:
quote:
The bug is found in versions of Mozilla from 0.9.7 to 0.9.9 on various operating system platforms
and
quote:
The flaw doesn't affect Mozilla 1.0 release candidate 1
ZOMBIE FOR THE LAST TIME WE DONT NEED YOUR GAY PRO MICROSOFT OPINION HERE, THEY AND THERE PRODUCTS SUCK
-
quote:
The flaw doesn't affect Mozilla 1.0 release candidate 1 because XMLHttpRequest appears to be broken in that release
The line you pointed out in your post doesn't mean it is fixed you fucking reject. The reason it doesn't affect Mozilla RC-1 is because XMLHttpRequest is broken meaning it doesn't work properly(You conveniantly left out the broken part in the line you pointed out..didn't you). Surely when Mozilla 1.0 final is released it wont have known broken features will it? If it has working XMLHttpRequest then the bug will live again in 1.0 Final.
Don't go around and try to call broken browser features a fix. LmFaO.
LmFaO, even the beta versions of IE6 didn't have broken features. Apparently Mozilla sucks for offering downloads of thier browsers which have stuff that don't work in them. I wonder what else is broken in Mozilla other than XMLHttpRequest? HaHaHa.
[ May 03, 2002: Message edited by: Zombie9920 ]
-
X11 was wrong. But if you check the mozilla home page, and look under known bugs. It sites that that particular bug has ben fixed and to download the nightly build. The nightly build, I'm assuming, has the XML enabled.
And no, the final will not have XML broken.
So yes, the bug has been fixed, like I said above. In the latest nightly build.
EDIT:
In case you don't belive me Zombie7487654484, here is the link:
http://bugzilla.mozilla.org/show_bug.cgi?id=141061 (http://bugzilla.mozilla.org/show_bug.cgi?id=141061)
This bug was found in late April, it has been fixed. Pretty quick compared to certain closed source web browsers (http://tongue.gif)
[ May 03, 2002: Message edited by: psyjax ]
-
quote:
Originally posted by psyjax:
X11 was wrong. But if you check the mozilla home page, and look under known bugs. It sites that that particular bug has ben fixed and to download the nightly build. The nightly build, I'm assuming, has the XML enabled.
And no, the final will not have XML broken.
So yes, the bug has been fixed, like I said above. In the latest nightly build.
EDIT:
In case you don't belive me Zombie7487654484, here is the link:
http://bugzilla.mozilla.org/show_bug.cgi?id=141061 (http://bugzilla.mozilla.org/show_bug.cgi?id=141061)
This bug was found in late April, it has been fixed. Pretty quick compared to certain closed source web browsers (http://tongue.gif)
[ May 03, 2002: Message edited by: psyjax ]
And now I believe that the bug is fixed. Thank you psyjax for telling how it is with credible proof(something that most of the members of this site including X11 doesn't do). ;P
-
VoidMain, yes I have done my research. My point was that no software is solid. And if more people use it, more flaws will be found. The thing is, atleast the holes get fixed with MS products fast enough. It's bad they have the holes in the first place, but since a lot of people use MS products, more holes will be found, then fixed.
Also, when a Linux flaw is found, it does not get nearly as much publicity as a Microsoft hole. I have yet to turn to a non-tech TV station and hear them MENTION "Linux hole discovered". Why? Because more people use MS, everyone knows MS, therefore that's what the majority of people care about. Go to a Tech Network or web site, you will find news on Linux flaws, but they aren't in bog bold letters like MS holes are.
Also, you must see the difference between IE updates and Windows updates. IE will have more security updates because it is a web browser, it's going on the net, whereas Windows is an OS. True, IE is built into Windows, that does not mean you have to use IE.
Also, I don't know anyone's PC that has been damaged or hacked through one of those holes found in Windows or IE. MS haters hear of a hole, and instantly say "Oh my god, Windows is so insecure and sucks". Part of this is true, but, who discovers these holes in the first place? SECURITY FIRMS, people paid to find these holes.
-
Dubble posted cuz Im a maoron.
See bellow.
[ May 03, 2002: Message edited by: psyjax ]
-
Um, your point being?
I don't think we were denying your claim but rather that IE had (and likely has (I hardly use it)) worse holes.
Besidess...
In one case you have to rely on M$ to release a patch. And they drag their ass about it. Sometimes they make you pay.
A hole is found in Linux, you patch it yourself. Or you submit it to the community and they patch it. Faster, more efficient, and free.
You can't beat Linux's (and UNIX's) thousands of developers with M$'s paltry few hundred. Just like you can't defete the passion of people who actually love working with computers and keeping things running, with a bunch of money hungry white-collar criminals *cough* *cough* M$ *cough*.
-
quote:
Originally posted by Zombie9920:
The line you pointed out in your post doesn't mean it is fixed you fucking reject. The reason it doesn't affect Mozilla RC-1 is because XMLHttpRequest is broken meaning it doesn't work properly(You conveniantly left out the broken part in the line you pointed out..didn't you). Surely when Mozilla 1.0 final is released it wont have known broken features will it? If it has working XMLHttpRequest then the bug will live again in 1.0 Final.
Don't go around and try to call broken browser features a fix. LmFaO.
LmFaO, even the beta versions of IE6 didn't have broken features. Apparently Mozilla sucks for offering downloads of thier browsers which have stuff that don't work in them. I wonder what else is broken in Mozilla other than XMLHttpRequest? HaHaHa.
[ May 03, 2002: Message edited by: Zombie9920 ]
True but the bug is not there you fucking reject
-
quote:
Surely when Mozilla 1.0 final is released it wont have known broken features will it? If it has working XMLHttpRequest then the bug will live again in 1.0 Final.
come to think of it, with this attitude, i'm surprised any development has gone on ever in computing! Imagine a whole bunch of developers of the zombie5246354623745 school of thought, every time they come up against a hurdle they all say "oh well this'll never be fixed, what's the point in trying, we'll just leave it to somebody else to try to write a workaround. (of course we're so smart that we know it can't be done)" Zombie53267543267 reminds me of Marvin the paranoid android.
or sideshow Bob...
Zombie5432675467234 seems to have the approach that progress means (errantly) pointing out what it is impossible to accomplish. You wait, in 5 or 10 years, all these things zombie536734527 says are impossible will have come to pass and more.
Back to the discussion in hand, why oh why do you (zombie5324754327) say that there must continue to be a bug in the program? there is a way to make anything work (without bugs), it's just a matter of finding or creating that way. It's just writing a browser for christ's sake! it's a constant series of developments. The fastest development of mozilla 1 will obviously be in the few weeks after it has come out, because lots of people will be trying it out and finding out the bugs pertinent to their own OS/hardware/connection(s).
I think, honestly, that zombie51145166 has still failed to grasp the basis of the open source model. People are supposed to find bugs. They find them all nice and early, and fix them themselves, or somebody else fixes them. All for free. We've said it before, and i don't think you'll get it this time either. M$' approach to bugs is to hope nobody finds them out, then when one of their bugs is exploited, they take a while for people to get really panicky and pissed off, so that people will pay for the bug fix. If they brought out the fix the day the problem was discovered, would people pay so much for it? Actually, would they have any choice? even if the users had the expertise to fix the bug themselves, no source code is available so they do not have that option.
Why do i bother? You will only come back with some argument. I only have one thing to say, Zombie256415156, Never talk in absolutes!
[ May 07, 2002: Message edited by: Calum ]
-
psyjax, a little more than a few hundrad exployees work at MS, add about 3 or 4 zeros to the end of hundred and maybe then you have th number of MS employees (and they can be anywhere, not just in Redmond).
-
quote:
Originally posted by Ctrl Alt Del 123:
psyjax, a little more than a few hundrad exployees work at MS, add about 3 or 4 zeros to the end of hundred and maybe then you have th number of MS employees (and they can be anywhere, not just in Redmond).
How many actual Coders tho?
how many people directly involved with the creation of windoze??
I place that within the hundreds. Anyone care to find an actual figure?
-
who gives a shit? just look at the results? i think M$ employed the 1 million proverbial monkeys, set them at random keyboards, and hoped that chaos theory would make one of them eventually write the perfect operating system...
besides, one of those monkeys might figure out the difference between quote:
originally posted by Ctrl Alt Del 123:
employees
and quote:
originally posted by psyjax:
developers
-
I don't care who works at MS and how many people work on the OS. Same thing with musicians, I love The Crystal Methods music, but know next to nothing about them. It really doesn't matter.
-
A neat trick the sys-admin guy at my college used to keep our hacking er I mean internet security class from rooting his box for a second time last semester was to remove uname. Man let me tell you it works. Try it.
-
Netscape 6.2.2 update now avaible with the XMLharddiskexpse bug solved...