Internet Explorer determines whether an object is safe when it interprets the file extension specified in the "Object Data" tag. This allows a malicious person to specify a "safe" file with eg. a ".html" extension in "Object Data", which causes Internet Explorer to interpret it as a "safe" file. However, when the file is retrieved by Internet Explorer the "Content-Type" header determines how the file will be treated. This allows an executable file like a ".hta" file to be treated as a "safe" file and be executed silently without restrictions.
NOTE: Further information has been releasedby http-equiv, proving that the patch from Microsoft is not adequate. Refer to solution section.
This unending parade of security flaws will never stop. Between ActiveX, Microsoft-hacked Java, and HTA scripting, Internet Explorer is nothing but a collection of security flaws that loads web pages as an afterthought. Now they can't even do a proper job of patching the vulnerabilities they know that exist.
Remember Surferbar which I discussed last week? Security experts have discovered that Surferbar is exploiting one of the flaws discussed in Secunia's article to install itself. We have reason to believe that two other malware distributors also might be using, or at least testing it.
If you are using Internet Explorer as your primary browser, you are most likely vulnerable to this flaw. You can find out for sure by taking this test.
Do you want to know how to be completely safe from these security flaws? Do you want to know how to be 100% safe from driveby malware that installs right through the browser? The answer is very simple: use a real browser, not a web browsing extension tied to a Microsoft operating system. http://texturizer.net/firebird/ http://www.opera.com/
I'm not being sarcastic. I am dead serious. Internet Explorer is not safe, except for when the most draconian precautions are taken. It is a bare bones, featureless browser that doesn't even provide tabbed browsing. I guarantee you, if you switch to Mozilla Firebird and use it for a while you will never want to use Internet Explorer again. Read all about Firebird at the official help site and decide for yourself.
The True Believer Can Mike Doyle Do to Microsoft What the Rest of the Computer Industry and the Department of Justice Couldn't Do?
By Robert X. Cringely
These are happy days in Redmond, Washington, with Microsoft having defeated, coopted, or survived the Department of Justice, depending on what side of the issue you stand. Microsoft shares are surging, and the future seems bright with only a few more legal speed bumps in the way. There are the private anti-trust suits from AOL/Netscape, Sun, and others. There are a few class-action lawsuits still pending in California, where Microsoft runs afoul of a state anti-trust law. And there are the inevitable patent infringement cases that have dogged Microsoft for years. These latter lawsuits are the topic of this column.
The only part of the final judgment I like is the part most Microsoft foes hate the most. Instead of a panel of three outside observers to monitor Microsoft's compliance with the judgment, the compliance officer will be one person chosen by Microsoft from its own ranks. While this would appear to be a matter of having the fox guard the hen house, the judgment specifically makes the Microsoft board of directors personally responsible for compliance. So if the compliance officer, in a moment of weakness, looks the other way as Microsoft crushes an opponent in violation of the judgment, Gates, Ballmer, Shirley and the others will have to pay, personally. I like that.
Two facts emerge from the final judgment issued last week -- that Microsoft has abused its monopoly and that this judgment makes no effort to deprive the company of the fruits of that abuse. This is interesting because the point of Federal anti-trust law is two-fold, to prevent or correct abuses and to deprive from the abusers the benefit -- called the fruit -- of their crimes. No fruit here. Microsoft pays no fine, gives no rebates, distributes no free product. The company sits on $40.5 BILLION in cash, at least some of which can be counted as fruit, and that cash remains intact.
Isn't that odd? You'd think the Bush Administration could use some extra money for fighting terrorism or drilling for oil in wildlife refuges or even paying-down the national debt, but no. Microsoft would have GLADLY paid a few billion to receive the very judgment they got last week, so this was a true missed opportunity on the part of the government. Heck, they could have just sent the Operation Saddam bill to Redmond, and Bill Gates would have paid it.
Instead, it is left to the private anti-trust suits to seek damages. These suits have been "tolled" (lawyerspeak for "delayed") until the Department of Justice suit was settled, which is now.
Sun wants $1 billion, for example, and some behavioral changes in the way Microsoft does business. But in the current economic climate, would Sun take a quick $1 billion and no behavioral changes? They probably would if the alternative was years of protracted litigation. So too with AOL, a company that has almost completely subsumed Netscape and could sure use some extra revenue in the current lousy ad market.
If Microsoft is smart they will quickly settle these suits -- all of the anti-trust suits -- for cash. I can't imagine that it would cost more than $5 billion, total, and maybe a lot less. Microsoft gets good PR for coming clean and its cash stash drops a bit, helping the company to justify its continued reluctance to pay a dividend or buy back stock.
Bill Gates once told me that he liked to keep enough money on hand so that Microsoft could go a full year operating as normal, but with no revenue at all. Taking Microsoft $32 billion in expected sales for the current fiscal year and deducting its expected $10 billion in expected profit, that means it takes $22 billion to run the store for a year, meaning Microsoft has plenty of money to pay off its enemies and still hold enough reserves to keep Bill happy.
All of this depends, of course, on the willingness of the remaining plaintiffs to settle for money alone. Most of the parties will do this. Certainly, the public companies like Sun and AOL would be hard-pressed not to, since shareholders might view rejecting a billion in cash as acting against their fiduciary responsibility. The class action suits are generally looking for money. And Microsoft has a long tradition of quietly paying-off plaintiffs in its intellectual property cases.
But what if they won't settle for money? This brings us to Mike Doyle, who runs tiny Eolas Technology Inc., which controls a patent that covers embedding plug-ins, applets, scriptlets, or ActiveX Controls into Web pages -- the use of any algorithm that implements dynamic, bi-directional communications between an app embedded in a Web page and external applications. That more or less defines how the World Wide Web is used today. As I have written before, Eolas is suing Microsoft for patent infringement, and has been generally wiping the floor with Redmond. Of course, so did the DoJ, and look how THAT turned out. The suit comes to trial in the spring and should be very interesting, not just because of the principles involved, but also because Mike Doyle and Eolas insist they are looking for more than just money.
"It would sure be nice for someone to actually consider all of this from our point of view, rather than MS's," wrote Doyle in a recent message to me. "It amazes me that everyone just assumes that MS will be able to merely write a check and make the whole thing go away. What if someone went through the following, purely theoretical, of course ;-), logical analysis?"
"Is there any practical settlement amount that is worth more to Eolas than a victory at trial? Considering the facts in the case and the magnitude of the stakes here, a highly likely outcome is that it will actually go to trial, and, once it does, that a jury will award us both damages and an injunction. Injunction is the key word here. That is what patent rights provide: the power to exclude. What if we were to just say no? Or, what if some other big player were to acquire or merge with us? What if only one best-of-breed browser could run embedded plug-ins, applets, ActiveX controls, or anything like them, and it wasn't IE? How competitive would the other browsers be without those capabilities? How would that change the current dynamics in the Industry?"
"One possible scenario is that Eolas would have the power necessary to re-establish the browser-as-application-platform as a viable competitor to Windows. That would be an interesting outcome, wouldn't it? How much would that be worth? The Web-OS concept, where the browser is the interface to all interactive apps on the client side, was always a killer idea. It still is. It lost momentum not because it wasn't economically or technically feasible, but because MS made it unlikely for anybody but them to make money on the Web-client side. Therefore, nobody could justify the necessary investment to take a really-serious shot at it. It doesn't have to be that way, does it? Just think of how we could use this patent to re-invigorate and expand the competitive landscape in this recently-moribund industry. What if we could do what the DOJ couldn't, and in the process make Eolas and everybody else, possibly excluding MS, richer? Wouldn't Eolas stand to profit more in such a scenario than any kind of pre-trial settlement could provide? Wouldn't everybody else?"
"The last couple of years in IT seem to have convinced people that the current status quo will continue indefinitely. They seem to have forgotten what seemed so obvious as little as three years ago, that change is the only invariance. That axiom has always proven out in the past, and I'm certain it will continue to do so in the future."
So will Mike Doyle give in to the Microsoft checkbook or will he opt, instead, to change the world of IT as we know it, knocking Microsoft down to size along the way? And notice how he referred to mergers and investors and being acquired? What if an IBM or an AOL or some party behind door number three was to do exactly that?
Microsoft wants to give control of your computing environment to the folks who really ought to have it. Who are, of course, the fine folks at Microsoft.
Their latest license agreements allow them to probe your computers and upload software at will, which is causing problems for banks and hospitals, who are required by law to restrict access of third parties to their clients' private information. Indeed, one banker who raised questions about this was apparently told that Microsoft "plans eventually to eliminate users' ability to disable Microsoft's access to their systems".
They're not the government. They don't need no steenking search warrants. Hard-core libertarians, if you want to know what a legal system dictated by the unfettered marketplace looks like, this is it.
HEREíS SOMETHING THAT cries for a safeguard: the world of computer bits. An endless roster of security holes allows cyber-thieves to fill up their buffers with credit-card numbers and corporate secrets. Itís easier to vandalize a Web site than to program a remote control. Entertainment moguls boil in their hot tubs as movies and music are swapped, gratis, on the Internet. Consumers fret about the loss of privacy. And computer viruses proliferate and mutate faster than they can be named. Microsoft's windows reputation as the 'cyberslut for hackers' says they now will have the solution for all your privacy concerns....be worried, be very worried.
Newsweek: The Big Secret. The plan, revealed for the first time to NEWSWEEK, is... Palladium, and it's one of the riskiest ventures the company has ever attempted. Though Microsoft does not claim a panacea, the system is designed to dramatically improve our ability to control and protect personal and corporate information. [Tomalak's Realm]
Think about it, what is Microsoft's main concern? When have they done anything for you instead of to you?
Your computer crashes badly and won't boot. You remove your hard drive and connect it to another computer to retrieve all your important files and move them to another computer. Won't happen anymore, cause any other computer with a different decipher key won't be able to decrypt your files. The Palladium security will be protecting your files .... especially from you. Such a deal.
For the software publishing industry, video games are a numbers game. And for now, Microsoft is on the losing end. Game publishers say it's a simple matter of economics.
That's the upshot from the Electronics Entertainment Expo, the game industry's main trade show, where new games for Microsoft's Xbox have largely been limited to "me too" titles--games already appearing on other consoles. Microsoft has said it expects to have more than 200 games for the Xbox by the end of the year, but less than two dozen of those will be exclusive Xbox titles from third-party publishers.
Sony, by contrast, is touting high-profile exclusives from game publishers. "Grand Theft Auto III," the top-selling video game for the past few months, will remain available only for Sony's PlayStation 2, with publisher Take Two Interactive Software scrapping previous plans for an Xbox version. New versions of Eidos' "Tomb Raider" and Electronic Arts' "Medal of Honor" franchises will also be available only for the PS2, as will upcoming online and offline updates of the "Final Fantasy" series from longtime Sony booster Squaresoft.
Game publishers say it's a simple matter of economics. With Sony having sold more than 30 million PlayStation 2 units worldwide and the Xbox just edging up to the 4 million mark, they have to put their money where the market is. The result is that even the biggest Xbox supporters are producing two PlayStation 2 games for every Xbox title.