miditek wrote:I reread the article, and yes, the fly-by type of installations are pretty bad, although not a new completely phenomenon. For instance, using the preview pane in most versions of MS Outlook allows nearly any type of file attachment or code to auto-execute, which is why we used to disable that feature via system policy at my previous employer.
JensJohansson wrote:I didn't read it carefully, because the animated cursor thing seemed the worst bit. But didn't it say icons as well? Most everything -- including the "desktop explorer" or whatever it's called -- displays icons for objects.
Yes, you're correct. The article does say that icons are affected as well. Most icons on the Windows desktop (which is actually a file/folder itself, more or less) are shortcuts though. This does seem a bit fishy, since Microsoft was trying
like hell to promote the "iconless desktop" since the advent of XP itself. Perhaps they knew something all along regarding this vulnerability- and yet, refuse to fix it. They damn near abandoned IE development for years.
miditek wrote:(note for IE users:), you can also manually disable or require a prompt for lots of things, such as file downloads, active x controls, and the like under Internet Options -> Security -> Custom Level for each zone. It's not 100% perfect, but it does help.
JensJohansson wrote:That's the thing -- it's like "security by covering your ass" on Microsoft's part. "Well, we told you to disable everything and not open any files, anywhere.. what do you expect? You browsed the internet using our browser? Well, how stupid of you! I guess it's all your fault."
I understand what you're saying completely, and yes, it's a royal pain in the ass! IE itself is anything but secure, although, Uncle Bill does provide the tools to mitigate a lot of the issues. I frequently explain to management (at various clients) that the human factor, such as user stupidity, cannot be ignored, and this is particularly the rule in a business environment.
I've observed lots of users doing everything except
their jobs, (Chat rooms, gambling sites, porn sites, on-line games, e-cards; you name it!) Microsoft's strength is, and will always be, not necessarily in security per se
, but in it's desktop and server applications. That's really the only reason why corporations put up with all of this bullshit, it's to run their accounting and messaging systems, and related items. Microsoft's (and it's partners') applications are highly evolved, even if the security is not, at least out of the box.
Home users and consumers are a different story altogether, and I must confess that I'll frequently "hide" when friends, neighbors, and family call complaining about their problems. (I hear enough of it during the day from customers!)
UAC is, like DEP (Data Execution Prevention), typical of Microsoft's band-aid approach to security. DEP won't even permit some legitimate print drivers and other applications to load! It has to be disabled via editing the boot.ini file. In order to do this, you have to unhide the boot.ini file, uncheck it's read-only attrib, and then add the following switch to the command line "/noexecute=AlwaysOff"
What is really needed with Microsoft, is a complete rewrite and radical architectural change to the kernel itself- similar to how Apple completely got rid of its old Mac OS, in favor of the new OS X. Unfortunately, Microsoft can't/won't do this, since they are way up higher on the food chain of an installed base of Win32 applications.
So in other words, Apple had the luxury of being able to "orphan" the users of the classic Mac OS, where it is not a realistic option for Microsoft, unfortunately.
You can disable UAC in Vista via several methods- my particular favorite is via regedit:
DWORD=EnableLUA (change value from 1 to 0)
You can also use MSCONFIG to do the same thing
Start -> Run -> MSCONFIG -> Tools -> Disable UAC (X)
My brother is running Vista at his company, and they have really good IT staff there. They asked me to setup a remote office and VPN connections for them, and the systems were preconfigured rather well, and runs most newer software, such as AutoCAD, MS Office, Acrobat Professional, and other business apps with little or no problems.
Unfortunately, many end users will have a tough time getting used to it, since Microsoft loves to hide things in each new release. I'm afraid that many people may find that even simple tasks in Vista (like opening a command prompt), will seem like an Easter egg hunt!
JensJohansson wrote:BTW it doesn't seem there is any way to get Firefox to display an animated cursor, just a static image, but I am not 100% sure.
When I checked the test page on your site, I used both IE, as well as Firefox. Only IE would display the animated icon. Does this make Firefox safer than IE for general use? Certainly to a degree, but it's important to keep in mind that many of the security bulletins from CERT advise security administrators that many exploits are written to where IE doesn't have to be running, but only present on the system. After all, IE and Windows are pretty tightly intertwined, which imo, was a stupid thing to do on Microsoft's part.
JensJohansson wrote:Me? Certainly not going for vista yet... and sticking with Firefox for all sites where IE can be avoided (it's like 99% for me).
I really don't blame you. As with all new versions of Windows, any RTM (Release to Manufacturing) version is going to suck. You'd save yourself a lot of headaches by waiting for Vista SP1, at least. I personally prefer Firefox myself, and generally leave IE for corporate installations (to leverage IEAK and system & group policy tools), as well as for MS SharePoint services.
JensJohansson wrote:The vmware idea is great, I forgot they made a free sandbox player nowadays, thanks!! =)
VMWare is a great tool.
Global virtualization of all Microsoft products is a dream that I've had for a long time! They (Redmond) think I'm crazy, but we know better!
VirtualPC is also a very good tool, and yes, you can build VM's in Virtual PC with other operating systems, such as Fedora, with a little tweaking....