IE6, Time to say goodbye?

An article in the Wall Street Journal on 1-22-2010 titled "Microsoft 
Scrambles To Patch Browser"  states the the Goverment of France and Germany 
publicaly announced that internet users not use IE, that users switch to a 
competing software until Microsoft issues a security patch. (The patch was 
resleased this week)

To read the article go to :
http://online.wsj.com/article/SB20001424052748703405704575015421102972994.html

The following is a quote from the article and includes a comment from 
Microsoft:

"The current security hole in Internet Explorer also highlights how 
difficult it is, in practice, to persuade Web users to change their habits. 
While all versions of Internet Explorer contain the vulnerability, Microsoft 
said it can only be exploited effectively in Internet Explorer 6, a version 
of the browser that came out more than eight years ago. 

Still, Internet Explorer 6 remains the most popular browser version, 
accounting for just under 21% of traffic to Web sites, slightly ahead of 
Microsoft's more-secure Internet Explorer 8, according to researchers at Net 
Applications."

I posted a question [ IE6 vs IE& vs IE8 on SBS ] to this forum a last May 
about using IE6 and a lot of good comments resulted. 


I'm beginning to wonder if it is time to go to IE8 on the server. Personally 
I've been hassed several times by IE8, and have gotten to the point when I do 
install it on a desktop I don't elect a lot  of the features it offers. Some 
say it is a problem with W2003, but isn't it standard in W2008? Is the server 
download different than the desktop download?

Looking forward to your input.

Joe





0
Utf
1/23/2010 2:05:01 AM
windows.server.sbs 1975 articles. 0 followers. Follow

15 Replies
1280 Views

Similar Articles

[PageSpeed] 3

Sorry, If you want to read the whose article Google "Microsoft Scrambles To 
Patch Browser " and use their link to the Wall Street Journal article.

"Joe#2" wrote:

> An article in the Wall Street Journal on 1-22-2010 titled "Microsoft 
> Scrambles To Patch Browser"  states the the Goverment of France and Germany 
> publicaly announced that internet users not use IE, that users switch to a 
> competing software until Microsoft issues a security patch. (The patch was 
> resleased this week)
> 
> To read the article go to :
> http://online.wsj.com/article/SB20001424052748703405704575015421102972994.html
> 
> The following is a quote from the article and includes a comment from 
> Microsoft:
> 
> "The current security hole in Internet Explorer also highlights how 
> difficult it is, in practice, to persuade Web users to change their habits. 
> While all versions of Internet Explorer contain the vulnerability, Microsoft 
> said it can only be exploited effectively in Internet Explorer 6, a version 
> of the browser that came out more than eight years ago. 
> 
> Still, Internet Explorer 6 remains the most popular browser version, 
> accounting for just under 21% of traffic to Web sites, slightly ahead of 
> Microsoft's more-secure Internet Explorer 8, according to researchers at Net 
> Applications."
> 
> I posted a question [ IE6 vs IE& vs IE8 on SBS ] to this forum a last May 
> about using IE6 and a lot of good comments resulted. 
> 
> 
> I'm beginning to wonder if it is time to go to IE8 on the server. Personally 
> I've been hassed several times by IE8, and have gotten to the point when I do 
> install it on a desktop I don't elect a lot  of the features it offers. Some 
> say it is a problem with W2003, but isn't it standard in W2008? Is the server 
> download different than the desktop download?
> 
> Looking forward to your input.
> 
> Joe
> 
> 
> 
> 
> 
0
Utf
1/23/2010 2:34:01 AM
As I'm sure many posted before if you brought it up in May, don't browse 
from the server.  Ever.  Not even once.

Even though the flaw seems to only be *exploitable* in IE6, it still 
requires visiting a malicious website.  And how do you get to a website with 
the malicious code?  By visiting sites you found via Google, or a forum, or 
something similar.  So if you aren't browsing on the server then you aren't 
at risk, even with IE6.  Problem averted.

-Cliff


"Joe#2" <Joe2@discussions.microsoft.com> wrote in message 
news:E87C96B6-5C60-4DAB-B026-03229D189E10@microsoft.com...
> An article in the Wall Street Journal on 1-22-2010 titled "Microsoft
> Scrambles To Patch Browser"  states the the Goverment of France and 
> Germany
> publicaly announced that internet users not use IE, that users switch to a
> competing software until Microsoft issues a security patch. (The patch was
> resleased this week)
>
> To read the article go to :
> http://online.wsj.com/article/SB20001424052748703405704575015421102972994.html
>
> The following is a quote from the article and includes a comment from
> Microsoft:
>
> "The current security hole in Internet Explorer also highlights how
> difficult it is, in practice, to persuade Web users to change their 
> habits.
> While all versions of Internet Explorer contain the vulnerability, 
> Microsoft
> said it can only be exploited effectively in Internet Explorer 6, a 
> version
> of the browser that came out more than eight years ago.
>
> Still, Internet Explorer 6 remains the most popular browser version,
> accounting for just under 21% of traffic to Web sites, slightly ahead of
> Microsoft's more-secure Internet Explorer 8, according to researchers at 
> Net
> Applications."
>
> I posted a question [ IE6 vs IE& vs IE8 on SBS ] to this forum a last May
> about using IE6 and a lot of good comments resulted.
>
>
> I'm beginning to wonder if it is time to go to IE8 on the server. 
> Personally
> I've been hassed several times by IE8, and have gotten to the point when I 
> do
> install it on a desktop I don't elect a lot  of the features it offers. 
> Some
> say it is a problem with W2003, but isn't it standard in W2008? Is the 
> server
> download different than the desktop download?
>
> Looking forward to your input.
>
> Joe
>
>
>
>
> 
0
Cliff
1/23/2010 6:15:55 AM
I'm kind of with Cliff on this
From the server the only sites I visit is Microsoft Download
Sun Micro for Java
and Where the AV is Downloaded
(And any vendor sites like Drivers)

I don't do any "surfing" from the clients server.
(That's why I have my laptop with security set to max)
And I tell my clients to NEVER surf from the server.
(Remember a server is a server not a work station.)

Although the question is interesting...

To me this is like asking if the toilet paper should roll from the bottom or 
top.
and individual thing!

However we all know that TP must roll from the Top.. :) Duh!
Russ

-- 
Russell Grover - SBITS.Biz [SBS-MVP]
Microsoft Gold Certified Partner
Microsoft Certified Small Business Specialist
24hr SBS Remote Support - http://www.SBITS.Biz
Microsoft Online Services - http://www.microsoft-online-services.com


"Cliff Galiher - MVP" <cgaliher@gmail.com> wrote in message 
news:uH5JDO$mKHA.216@TK2MSFTNGP06.phx.gbl...
> As I'm sure many posted before if you brought it up in May, don't browse 
> from the server.  Ever.  Not even once.
>
> Even though the flaw seems to only be *exploitable* in IE6, it still 
> requires visiting a malicious website.  And how do you get to a website 
> with the malicious code?  By visiting sites you found via Google, or a 
> forum, or something similar.  So if you aren't browsing on the server then 
> you aren't at risk, even with IE6.  Problem averted.
>
> -Cliff
>
>
> "Joe#2" <Joe2@discussions.microsoft.com> wrote in message 
> news:E87C96B6-5C60-4DAB-B026-03229D189E10@microsoft.com...
>> An article in the Wall Street Journal on 1-22-2010 titled "Microsoft
>> Scrambles To Patch Browser"  states the the Goverment of France and 
>> Germany
>> publicaly announced that internet users not use IE, that users switch to 
>> a
>> competing software until Microsoft issues a security patch. (The patch 
>> was
>> resleased this week)
>>
>> To read the article go to :
>> http://online.wsj.com/article/SB20001424052748703405704575015421102972994.html
>>
>> The following is a quote from the article and includes a comment from
>> Microsoft:
>>
>> "The current security hole in Internet Explorer also highlights how
>> difficult it is, in practice, to persuade Web users to change their 
>> habits.
>> While all versions of Internet Explorer contain the vulnerability, 
>> Microsoft
>> said it can only be exploited effectively in Internet Explorer 6, a 
>> version
>> of the browser that came out more than eight years ago.
>>
>> Still, Internet Explorer 6 remains the most popular browser version,
>> accounting for just under 21% of traffic to Web sites, slightly ahead of
>> Microsoft's more-secure Internet Explorer 8, according to researchers at 
>> Net
>> Applications."
>>
>> I posted a question [ IE6 vs IE& vs IE8 on SBS ] to this forum a last May
>> about using IE6 and a lot of good comments resulted.
>>
>>
>> I'm beginning to wonder if it is time to go to IE8 on the server. 
>> Personally
>> I've been hassed several times by IE8, and have gotten to the point when 
>> I do
>> install it on a desktop I don't elect a lot  of the features it offers. 
>> Some
>> say it is a problem with W2003, but isn't it standard in W2008? Is the 
>> server
>> download different than the desktop download?
>>
>> Looking forward to your input.
>>
>> Joe
>>
>>
>>
>>
>> 
0
Russ
1/23/2010 6:08:18 PM
"Russ SBITS.Biz [SBS-MVP]" <russ@REMOVETHIS.sbits.biz> wrote in message 
news:26A3CBB7-60FF-472B-B54E-0E121A22F5A4@microsoft.com...
> I'm kind of with Cliff on this
> From the server the only sites I visit is Microsoft Download
> Sun Micro for Java
> and Where the AV is Downloaded
> (And any vendor sites like Drivers)
>
> I don't do any "surfing" from the clients server.
> (That's why I have my laptop with security set to max)
> And I tell my clients to NEVER surf from the server.
> (Remember a server is a server not a work station.)
>
> Although the question is interesting...
>
> To me this is like asking if the toilet paper should roll from the bottom 
> or top.
> and individual thing!
>
> However we all know that TP must roll from the Top.. :) Duh!
> Russ
>
> -- 
> Russell Grover - SBITS.Biz [SBS-MVP]
> Microsoft Gold Certified Partner
> Microsoft Certified Small Business Specialist
> 24hr SBS Remote Support - http://www.SBITS.Biz
> Microsoft Online Services - http://www.microsoft-online-services.com
>

I don't know about that. Some others in the household will put the roll in 
backwards, but to them it's correct. :-)

But I agree, I don't use my customer servers to browse. I will use my own 
laptop while remoted into the server, such as when researching an issue, 
then finding something relevant (such as a download fix, or code to copy, 
etc), I'll copy/paste the URL to the RDP session to grab it.

I also do update my all servers to IE8. I may be wrong, and I haven't 
researched this, but I believe there's other functionality and security 
features that are introduced into the OS with installing the newer browsers.

-- 
Ace

This posting is provided "AS-IS" with no warranties or guarantees and 
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among 
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & 
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please 
contact Microsoft PSS directly. Please check http://support.microsoft.com 
for regional support phone numbers.



0
Ace
1/23/2010 6:20:36 PM
Okay, I feel strongly enough about this that I need to actually fully 
explain my position here.  This will probably be a long post, but...I 
hope...well worth the time to read.

To understand "the google hack" and its risks, let me start by establishing 
a timeline, but I'll do so by working backwards.  First, we know that the 
bug was made public in mid-January.  But as news has trickled out about 
this, we now have learned that Google saw their servers being probed for 
information about "Chinese dissidents" in early December.  Now keep that in 
mind!  For google to get probed, it means that an admin password had already 
been disclosed by the bug, and that the infection rate was already high 
enough for this to have occurred.  That means that the bug has *probaby* 
been exploited since *at least* November if not earlier.  After all, it 
takes some time for these exploits to get out, spread across enough sites 
that random visits will load it, and for it to reach a "critical mass." 
Based on the number of infections reported, I'd guess it has been in the 
wild for a few months.

Now for my speculation.  Do I believe two people can independently find the 
same bug?  Yes, I do.  We've seen it before.  But this wasn't a *new* bug. 
It wasn't introduced with a patch.  It has been around for 8 years.  So what 
are the chances that two people find the same 8-year old bug so close 
together that MS was *already* planning a February patch when the bug was 
exploited by the second party?  I don't believe in coincidences.  I do 
believe that humans are flawed creatures and a moment of weakness and greed 
from one lowly intern can result in a privately disclosed flaw being sold to 
an unscrupulous party willing to pay for and use it.  If I'm right then this 
bug was in the hands of hackers in August when the bug was discovered.  It 
is a trivial flaw, so it could've been weaponized and the code sprayed on 
forums starting from that point.

If I'm right then this flaw has been on random websites for 6 months.  If 
I'm wrong then it has been out for approximately 3 months.  That is still a 
nice sized window for machines to get infected.

Now let's look at the flaw itself.  MS has said it exists in IE6, 7, *and* 
8.  Most of the reported infections are XP with IE6.  But that is because 
most of the *computers* in the world still run XP.  If a 2003 server running 
IE8 gets infected, statistically that is still very low and won't get 
reported in the general news-stream.  Microsoft has gone through great pains 
to document what circumstances can help mitigate the attack.  DEP helps. 
But particularly in SBS land, there are older servers that don't support DEP 
still in production.  After a company has spent money on storage and 
networking, they will, more often than not, go with a budget processor to 
save a little money.  In 2006 that meant it was still server class; fast and 
reliable, Xeon with a good amount of cache to keep speeds up, but without 
64-bit support (not needed with an SBS 2003 installation) and no 
virtualization or DEP support either.  No DEP?  IE8 is just as vulnerable as 
IE6.  So upgrading the browser offers *no* protection in this instance.

Secondly is the "Enhanced Security Configuration" of IE on a server.  If you 
even hit "known" sites like the MS download site, or Sun for Java, chances 
are you've turned off ESC though.  It gets in the way.  ....and it removed a 
barrier that MS has said protects against this attack.  Another reason to 
not browse from the server, even to "known" sites. It makes you lazy, makes 
you disable things that are better left enabled, and puts your server at 
risk.

Which brings me to my final point.  How do you know you can trust those 
sites?  I recall when the Linksys homepage had "trending support topics" on 
their homepage.  It was obviously a server-side snippet that would pull bits 
of conversation from their forums that were seeing high response volumes and 
post a few lines.  Since most forums are database driven, it is an easy 
thing to implement.  And if one of those responses had a snippet of 
javascript that exploited this code?  Just visiting a known site could 
*still* get you infected. Banner ads are another great infection point, and 
how many 3rd-party vendors have banner ads on their sites?

And if we are going to be completely honest, if you are on the server to 
install a driver, chances are you were browsing as an Administrator.  You 
weren't going to log in as a standard user, download the driver, log out, 
log in as Administrator, install, and log back out *again* were you?  So now 
we have a situation where there was "browsing" (even in a limited sense) 
with full *domain* administrator privileges, from a server with *no* 
protection (DEP nor ESC) in the name of convenience, with an exploit that 
has been in the wild for *months* without getting noticed.  Tell me that 
isn't a recipe for disaster?

I have said it before and I'll say it again. If I want to download something 
from MS or Sun, I'll do so from a laptop and save it to a file-share so I 
can access *just* the executable from the server.  Windows Update is the 
obvious exception, but that is not by choice.  That is purely the decision 
of MS to make the update process web-based in XP and 2003 thus making it 
unavoidable in those OS's.

In short? I cannot think of *any* reason to use the browser on a server. 
Thus I don't need Flash or Silverlight.  I only need Java if a 3rd-party app 
uses it for non-browser code (there are certainly a few.) And the browser 
window only gets opened when an app does so (windows update, Sharepoint 
Central Administration, etc.)  That also means, that unlike most people, the 
servers I'm responsible for still have ESC enabled most of the time.

....

I will agree with Ace though that there are other DLLs that the OS uses from 
IE (for MMC rendering, etc) that make updating the browser itself a 
worthwhile exercise.  Although I usually don't jump to the newest browser 
until I know that some of the 3rd party apps that *also* use the IE engine 
have also been updated so rendering errors don't cause more headache than 
they are worth.

So, is it time to say good-bye to IE6?  It certainly won't hurt anything. 
But is that the solution to this latest threat?  Not in the least.  We need 
to change our habits, not our browsers.

-Cliff


"Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message 
news:OqNSDjFnKHA.5464@TK2MSFTNGP02.phx.gbl...
> "Russ SBITS.Biz [SBS-MVP]" <russ@REMOVETHIS.sbits.biz> wrote in message 
> news:26A3CBB7-60FF-472B-B54E-0E121A22F5A4@microsoft.com...
>> I'm kind of with Cliff on this
>> From the server the only sites I visit is Microsoft Download
>> Sun Micro for Java
>> and Where the AV is Downloaded
>> (And any vendor sites like Drivers)
>>
>> I don't do any "surfing" from the clients server.
>> (That's why I have my laptop with security set to max)
>> And I tell my clients to NEVER surf from the server.
>> (Remember a server is a server not a work station.)
>>
>> Although the question is interesting...
>>
>> To me this is like asking if the toilet paper should roll from the bottom 
>> or top.
>> and individual thing!
>>
>> However we all know that TP must roll from the Top.. :) Duh!
>> Russ
>>
>> -- 
>> Russell Grover - SBITS.Biz [SBS-MVP]
>> Microsoft Gold Certified Partner
>> Microsoft Certified Small Business Specialist
>> 24hr SBS Remote Support - http://www.SBITS.Biz
>> Microsoft Online Services - http://www.microsoft-online-services.com
>>
>
> I don't know about that. Some others in the household will put the roll in 
> backwards, but to them it's correct. :-)
>
> But I agree, I don't use my customer servers to browse. I will use my own 
> laptop while remoted into the server, such as when researching an issue, 
> then finding something relevant (such as a download fix, or code to copy, 
> etc), I'll copy/paste the URL to the RDP session to grab it.
>
> I also do update my all servers to IE8. I may be wrong, and I haven't 
> researched this, but I believe there's other functionality and security 
> features that are introduced into the OS with installing the newer 
> browsers.
>
> -- 
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and 
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit 
> among responding engineers, and to help others benefit from your 
> resolution.
>
> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & 
> MCSA 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
> Microsoft MVP - Directory Services
>
> If you feel this is an urgent issue and require immediate assistance, 
> please contact Microsoft PSS directly. Please check 
> http://support.microsoft.com for regional support phone numbers.
>
>
> 
0
Cliff
1/23/2010 6:56:26 PM
Cliff Galiher - MVP wrote:
> Okay, I feel strongly enough about this that I need to actually fully 
> explain my position here.  This will probably be a long post, but...I 
> hope...well worth the time to read.
> 
> To understand "the google hack" and its risks, let me start by 
> establishing a timeline, but I'll do so by working backwards.  First, we 
> know that the bug was made public in mid-January.  But as news has 
> trickled out about this, we now have learned that Google saw their 
> servers being probed for information about "Chinese dissidents" in early 
> December.  Now keep that in mind!  For google to get probed, it means 
> that an admin password had already been disclosed by the bug, and that 
> the infection rate was already high enough for this to have occurred.  
> That means that the bug has *probaby* been exploited since *at least* 
> November if not earlier.  After all, it takes some time for these 
> exploits to get out, spread across enough sites that random visits will 
> load it, and for it to reach a "critical mass." Based on the number of 
> infections reported, I'd guess it has been in the wild for a few months.
> 
> Now for my speculation.  Do I believe two people can independently find 
> the same bug?  Yes, I do.  We've seen it before.  But this wasn't a 
> *new* bug. It wasn't introduced with a patch.  It has been around for 8 
> years.  So what are the chances that two people find the same 8-year old 
> bug so close together that MS was *already* planning a February patch 
> when the bug was exploited by the second party?  I don't believe in 
> coincidences.  I do believe that humans are flawed creatures and a 
> moment of weakness and greed from one lowly intern can result in a 
> privately disclosed flaw being sold to an unscrupulous party willing to 
> pay for and use it.  If I'm right then this bug was in the hands of 
> hackers in August when the bug was discovered.  It is a trivial flaw, so 
> it could've been weaponized and the code sprayed on forums starting from 
> that point.
> 
> If I'm right then this flaw has been on random websites for 6 months.  
> If I'm wrong then it has been out for approximately 3 months.  That is 
> still a nice sized window for machines to get infected.
> 
> Now let's look at the flaw itself.  MS has said it exists in IE6, 7, 
> *and* 8.  Most of the reported infections are XP with IE6.  But that is 
> because most of the *computers* in the world still run XP.  If a 2003 
> server running IE8 gets infected, statistically that is still very low 
> and won't get reported in the general news-stream.  Microsoft has gone 
> through great pains to document what circumstances can help mitigate the 
> attack.  DEP helps. But particularly in SBS land, there are older 
> servers that don't support DEP still in production.  After a company has 
> spent money on storage and networking, they will, more often than not, 
> go with a budget processor to save a little money.  In 2006 that meant 
> it was still server class; fast and reliable, Xeon with a good amount of 
> cache to keep speeds up, but without 64-bit support (not needed with an 
> SBS 2003 installation) and no virtualization or DEP support either.  No 
> DEP?  IE8 is just as vulnerable as IE6.  So upgrading the browser offers 
> *no* protection in this instance.
> 
> Secondly is the "Enhanced Security Configuration" of IE on a server.  If 
> you even hit "known" sites like the MS download site, or Sun for Java, 
> chances are you've turned off ESC though.  It gets in the way.  ....and 
> it removed a barrier that MS has said protects against this attack.  
> Another reason to not browse from the server, even to "known" sites. It 
> makes you lazy, makes you disable things that are better left enabled, 
> and puts your server at risk.
> 
> Which brings me to my final point.  How do you know you can trust those 
> sites?  I recall when the Linksys homepage had "trending support topics" 
> on their homepage.  It was obviously a server-side snippet that would 
> pull bits of conversation from their forums that were seeing high 
> response volumes and post a few lines.  Since most forums are database 
> driven, it is an easy thing to implement.  And if one of those responses 
> had a snippet of javascript that exploited this code?  Just visiting a 
> known site could *still* get you infected. Banner ads are another great 
> infection point, and how many 3rd-party vendors have banner ads on their 
> sites?
> 
> And if we are going to be completely honest, if you are on the server to 
> install a driver, chances are you were browsing as an Administrator.  
> You weren't going to log in as a standard user, download the driver, log 
> out, log in as Administrator, install, and log back out *again* were 
> you?  So now we have a situation where there was "browsing" (even in a 
> limited sense) with full *domain* administrator privileges, from a 
> server with *no* protection (DEP nor ESC) in the name of convenience, 
> with an exploit that has been in the wild for *months* without getting 
> noticed.  Tell me that isn't a recipe for disaster?
> 
> I have said it before and I'll say it again. If I want to download 
> something from MS or Sun, I'll do so from a laptop and save it to a 
> file-share so I can access *just* the executable from the server.  
> Windows Update is the obvious exception, but that is not by choice.  
> That is purely the decision of MS to make the update process web-based 
> in XP and 2003 thus making it unavoidable in those OS's.
> 
> In short? I cannot think of *any* reason to use the browser on a server. 
> Thus I don't need Flash or Silverlight.  I only need Java if a 3rd-party 
> app uses it for non-browser code (there are certainly a few.) And the 
> browser window only gets opened when an app does so (windows update, 
> Sharepoint Central Administration, etc.)  That also means, that unlike 
> most people, the servers I'm responsible for still have ESC enabled most 
> of the time.
> 
> ...
> 
> I will agree with Ace though that there are other DLLs that the OS uses 
> from IE (for MMC rendering, etc) that make updating the browser itself a 
> worthwhile exercise.  Although I usually don't jump to the newest 
> browser until I know that some of the 3rd party apps that *also* use the 
> IE engine have also been updated so rendering errors don't cause more 
> headache than they are worth.
> 
> So, is it time to say good-bye to IE6?  It certainly won't hurt 
> anything. But is that the solution to this latest threat?  Not in the 
> least.  We need to change our habits, not our browsers.
> 
> -Cliff
> 
> 
> "Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in 
> message news:OqNSDjFnKHA.5464@TK2MSFTNGP02.phx.gbl...
>> "Russ SBITS.Biz [SBS-MVP]" <russ@REMOVETHIS.sbits.biz> wrote in 
>> message news:26A3CBB7-60FF-472B-B54E-0E121A22F5A4@microsoft.com...
>>> I'm kind of with Cliff on this
>>> From the server the only sites I visit is Microsoft Download
>>> Sun Micro for Java
>>> and Where the AV is Downloaded
>>> (And any vendor sites like Drivers)
>>>
>>> I don't do any "surfing" from the clients server.
>>> (That's why I have my laptop with security set to max)
>>> And I tell my clients to NEVER surf from the server.
>>> (Remember a server is a server not a work station.)
>>>
>>> Although the question is interesting...
>>>
>>> To me this is like asking if the toilet paper should roll from the 
>>> bottom or top.
>>> and individual thing!
>>>
>>> However we all know that TP must roll from the Top.. :) Duh!
>>> Russ
>>>
>>> -- 
>>> Russell Grover - SBITS.Biz [SBS-MVP]
>>> Microsoft Gold Certified Partner
>>> Microsoft Certified Small Business Specialist
>>> 24hr SBS Remote Support - http://www.SBITS.Biz
>>> Microsoft Online Services - http://www.microsoft-online-services.com
>>>
>>
>> I don't know about that. Some others in the household will put the 
>> roll in backwards, but to them it's correct. :-)
>>
>> But I agree, I don't use my customer servers to browse. I will use my 
>> own laptop while remoted into the server, such as when researching an 
>> issue, then finding something relevant (such as a download fix, or 
>> code to copy, etc), I'll copy/paste the URL to the RDP session to grab 
>> it.
>>
>> I also do update my all servers to IE8. I may be wrong, and I haven't 
>> researched this, but I believe there's other functionality and 
>> security features that are introduced into the OS with installing the 
>> newer browsers.
>>
>> -- 
>> Ace
>>
>> This posting is provided "AS-IS" with no warranties or guarantees and 
>> confers no rights.
>>
>> Please reply back to the newsgroup or forum for collaboration benefit 
>> among responding engineers, and to help others benefit from your 
>> resolution.
>>
>> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE 
>> & MCSA 2003/2000, MCSA Messaging 2003
>> Microsoft Certified Trainer
>> Microsoft MVP - Directory Services
>>
>> If you feel this is an urgent issue and require immediate assistance, 
>> please contact Microsoft PSS directly. Please check 
>> http://support.microsoft.com for regional support phone numbers.
>>
>>
>>
MS officially knew about the bug since September.
0
Susan
1/23/2010 8:08:03 PM
I'm in full agreement about surfing on the server. After reading many of the 
past messages on this subject, I just don't hardly almost never succumb to 
that temptation.  I have restricted it to essential only. Quite frankly I'm 
almost getting paranoid though about everything. 

Which brings me back around to IE8. Is it a more secure browser ro not? Does 
it have protection builtin that inherantly raises the level or your server. 
Also, again is the version on W2008 in anyway different other than ESP being 
on?

"Cliff Galiher - MVP" wrote:

> Okay, I feel strongly enough about this that I need to actually fully 
> explain my position here.  This will probably be a long post, but...I 
> hope...well worth the time to read.
> 
> To understand "the google hack" and its risks, let me start by establishing 
> a timeline, but I'll do so by working backwards.  First, we know that the 
> bug was made public in mid-January.  But as news has trickled out about 
> this, we now have learned that Google saw their servers being probed for 
> information about "Chinese dissidents" in early December.  Now keep that in 
> mind!  For google to get probed, it means that an admin password had already 
> been disclosed by the bug, and that the infection rate was already high 
> enough for this to have occurred.  That means that the bug has *probaby* 
> been exploited since *at least* November if not earlier.  After all, it 
> takes some time for these exploits to get out, spread across enough sites 
> that random visits will load it, and for it to reach a "critical mass." 
> Based on the number of infections reported, I'd guess it has been in the 
> wild for a few months.
> 
> Now for my speculation.  Do I believe two people can independently find the 
> same bug?  Yes, I do.  We've seen it before.  But this wasn't a *new* bug. 
> It wasn't introduced with a patch.  It has been around for 8 years.  So what 
> are the chances that two people find the same 8-year old bug so close 
> together that MS was *already* planning a February patch when the bug was 
> exploited by the second party?  I don't believe in coincidences.  I do 
> believe that humans are flawed creatures and a moment of weakness and greed 
> from one lowly intern can result in a privately disclosed flaw being sold to 
> an unscrupulous party willing to pay for and use it.  If I'm right then this 
> bug was in the hands of hackers in August when the bug was discovered.  It 
> is a trivial flaw, so it could've been weaponized and the code sprayed on 
> forums starting from that point.
> 
> If I'm right then this flaw has been on random websites for 6 months.  If 
> I'm wrong then it has been out for approximately 3 months.  That is still a 
> nice sized window for machines to get infected.
> 
> Now let's look at the flaw itself.  MS has said it exists in IE6, 7, *and* 
> 8.  Most of the reported infections are XP with IE6.  But that is because 
> most of the *computers* in the world still run XP.  If a 2003 server running 
> IE8 gets infected, statistically that is still very low and won't get 
> reported in the general news-stream.  Microsoft has gone through great pains 
> to document what circumstances can help mitigate the attack.  DEP helps. 
> But particularly in SBS land, there are older servers that don't support DEP 
> still in production.  After a company has spent money on storage and 
> networking, they will, more often than not, go with a budget processor to 
> save a little money.  In 2006 that meant it was still server class; fast and 
> reliable, Xeon with a good amount of cache to keep speeds up, but without 
> 64-bit support (not needed with an SBS 2003 installation) and no 
> virtualization or DEP support either.  No DEP?  IE8 is just as vulnerable as 
> IE6.  So upgrading the browser offers *no* protection in this instance.
> 
> Secondly is the "Enhanced Security Configuration" of IE on a server.  If you 
> even hit "known" sites like the MS download site, or Sun for Java, chances 
> are you've turned off ESC though.  It gets in the way.  ....and it removed a 
> barrier that MS has said protects against this attack.  Another reason to 
> not browse from the server, even to "known" sites. It makes you lazy, makes 
> you disable things that are better left enabled, and puts your server at 
> risk.
> 
> Which brings me to my final point.  How do you know you can trust those 
> sites?  I recall when the Linksys homepage had "trending support topics" on 
> their homepage.  It was obviously a server-side snippet that would pull bits 
> of conversation from their forums that were seeing high response volumes and 
> post a few lines.  Since most forums are database driven, it is an easy 
> thing to implement.  And if one of those responses had a snippet of 
> javascript that exploited this code?  Just visiting a known site could 
> *still* get you infected. Banner ads are another great infection point, and 
> how many 3rd-party vendors have banner ads on their sites?
> 
> And if we are going to be completely honest, if you are on the server to 
> install a driver, chances are you were browsing as an Administrator.  You 
> weren't going to log in as a standard user, download the driver, log out, 
> log in as Administrator, install, and log back out *again* were you?  So now 
> we have a situation where there was "browsing" (even in a limited sense) 
> with full *domain* administrator privileges, from a server with *no* 
> protection (DEP nor ESC) in the name of convenience, with an exploit that 
> has been in the wild for *months* without getting noticed.  Tell me that 
> isn't a recipe for disaster?
> 
> I have said it before and I'll say it again. If I want to download something 
> from MS or Sun, I'll do so from a laptop and save it to a file-share so I 
> can access *just* the executable from the server.  Windows Update is the 
> obvious exception, but that is not by choice.  That is purely the decision 
> of MS to make the update process web-based in XP and 2003 thus making it 
> unavoidable in those OS's.
> 
> In short? I cannot think of *any* reason to use the browser on a server. 
> Thus I don't need Flash or Silverlight.  I only need Java if a 3rd-party app 
> uses it for non-browser code (there are certainly a few.) And the browser 
> window only gets opened when an app does so (windows update, Sharepoint 
> Central Administration, etc.)  That also means, that unlike most people, the 
> servers I'm responsible for still have ESC enabled most of the time.
> 
> ....
> 
> I will agree with Ace though that there are other DLLs that the OS uses from 
> IE (for MMC rendering, etc) that make updating the browser itself a 
> worthwhile exercise.  Although I usually don't jump to the newest browser 
> until I know that some of the 3rd party apps that *also* use the IE engine 
> have also been updated so rendering errors don't cause more headache than 
> they are worth.
> 
> So, is it time to say good-bye to IE6?  It certainly won't hurt anything. 
> But is that the solution to this latest threat?  Not in the least.  We need 
> to change our habits, not our browsers.
> 
> -Cliff
> 
> 
> "Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message 
> news:OqNSDjFnKHA.5464@TK2MSFTNGP02.phx.gbl...
> > "Russ SBITS.Biz [SBS-MVP]" <russ@REMOVETHIS.sbits.biz> wrote in message 
> > news:26A3CBB7-60FF-472B-B54E-0E121A22F5A4@microsoft.com...
> >> I'm kind of with Cliff on this
> >> From the server the only sites I visit is Microsoft Download
> >> Sun Micro for Java
> >> and Where the AV is Downloaded
> >> (And any vendor sites like Drivers)
> >>
> >> I don't do any "surfing" from the clients server.
> >> (That's why I have my laptop with security set to max)
> >> And I tell my clients to NEVER surf from the server.
> >> (Remember a server is a server not a work station.)
> >>
> >> Although the question is interesting...
> >>
> >> To me this is like asking if the toilet paper should roll from the bottom 
> >> or top.
> >> and individual thing!
> >>
> >> However we all know that TP must roll from the Top.. :) Duh!
> >> Russ
> >>
> >> -- 
> >> Russell Grover - SBITS.Biz [SBS-MVP]
> >> Microsoft Gold Certified Partner
> >> Microsoft Certified Small Business Specialist
> >> 24hr SBS Remote Support - http://www.SBITS.Biz
> >> Microsoft Online Services - http://www.microsoft-online-services.com
> >>
> >
> > I don't know about that. Some others in the household will put the roll in 
> > backwards, but to them it's correct. :-)
> >
> > But I agree, I don't use my customer servers to browse. I will use my own 
> > laptop while remoted into the server, such as when researching an issue, 
> > then finding something relevant (such as a download fix, or code to copy, 
> > etc), I'll copy/paste the URL to the RDP session to grab it.
> >
> > I also do update my all servers to IE8. I may be wrong, and I haven't 
> > researched this, but I believe there's other functionality and security 
> > features that are introduced into the OS with installing the newer 
> > browsers.
> >
> > -- 
> > Ace
> >
> > This posting is provided "AS-IS" with no warranties or guarantees and 
> > confers no rights.
> >
> > Please reply back to the newsgroup or forum for collaboration benefit 
> > among responding engineers, and to help others benefit from your 
> > resolution.
> >
> > Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & 
> > MCSA 2003/2000, MCSA Messaging 2003
> > Microsoft Certified Trainer
> > Microsoft MVP - Directory Services
> >
> > If you feel this is an urgent issue and require immediate assistance, 
> > please contact Microsoft PSS directly. Please check 
> > http://support.microsoft.com for regional support phone numbers.
> >
> >
> > 
> .
> 
0
Utf
1/23/2010 10:58:01 PM
Just because IE8 had this flaw doesn't mean it is as insecure as IE6.  Think 
of IE (or any browser that has been around awhile) as that old 1800's 
mansion that almost every town on the east coast has.  Chances are that over 
the years, owners have installed burglar alarms, motion detectors, and 
have...generally...upgraded security on the premises.  But there is always 
the chance that an old coal shaft got boarded up in 1927 and nobody knew 
about it, forgot about it, or for whatever reason it was an oversight.  If 
someone were to discover that shaft, they could get into the house 
undetected.

That is what happened here.  IE8 is more secure than IE7 and IE6. 
Independent security testers have universally shown this to be true.  Note 
that I'm only comparing IE8 to previous versions of IE.  I am not saying 
that IE8 is more or less secure than other *competing* browsers...as that is 
not the point of this subject.  IE8 is more secure.  Is there something 
"special" about IE8 on Win2k8 though?  Nope.  This bug could get IE8 on XP, 
Vista, and Win2k8.

The reason this seemed to get IE6 on XP though is because those are the 
oldest and most popular machines running.  It is more likely that a machine 
capable of running Vista or Win2k8 is also new enough to have a DEP-capable 
processor.  And as I already covered, DEP is a mitigating factor.  So in 
that regard, it isn't that IE8 is different, but the underlying "stuff" is 
different, and thus also adds some security (unless you went and disabled 
DEP and/or ESC.)  But again, just in regards to THIS attack, good practices 
like not browsing from the server would have helped protect your server 
regardless of browser version, and bad practices would have exposed you.  So 
yes, IE8 is a worthwhile improvement *IF* it doesn't break other things 
(which it could! so testing is essential!!!) but it isn't the silver bullet 
to give you reign to start doing things that you ought not do on a server.

-Cliff


"Joe#2" <Joe2@discussions.microsoft.com> wrote in message 
news:ABE1DB49-C2FF-4FB1-89D3-7F0DA02E7C71@microsoft.com...
> I'm in full agreement about surfing on the server. After reading many of 
> the
> past messages on this subject, I just don't hardly almost never succumb to
> that temptation.  I have restricted it to essential only. Quite frankly 
> I'm
> almost getting paranoid though about everything.
>
> Which brings me back around to IE8. Is it a more secure browser ro not? 
> Does
> it have protection builtin that inherantly raises the level or your 
> server.
> Also, again is the version on W2008 in anyway different other than ESP 
> being
> on?
>
> "Cliff Galiher - MVP" wrote:
>
>> Okay, I feel strongly enough about this that I need to actually fully
>> explain my position here.  This will probably be a long post, but...I
>> hope...well worth the time to read.
>>
>> To understand "the google hack" and its risks, let me start by 
>> establishing
>> a timeline, but I'll do so by working backwards.  First, we know that the
>> bug was made public in mid-January.  But as news has trickled out about
>> this, we now have learned that Google saw their servers being probed for
>> information about "Chinese dissidents" in early December.  Now keep that 
>> in
>> mind!  For google to get probed, it means that an admin password had 
>> already
>> been disclosed by the bug, and that the infection rate was already high
>> enough for this to have occurred.  That means that the bug has *probaby*
>> been exploited since *at least* November if not earlier.  After all, it
>> takes some time for these exploits to get out, spread across enough sites
>> that random visits will load it, and for it to reach a "critical mass."
>> Based on the number of infections reported, I'd guess it has been in the
>> wild for a few months.
>>
>> Now for my speculation.  Do I believe two people can independently find 
>> the
>> same bug?  Yes, I do.  We've seen it before.  But this wasn't a *new* 
>> bug.
>> It wasn't introduced with a patch.  It has been around for 8 years.  So 
>> what
>> are the chances that two people find the same 8-year old bug so close
>> together that MS was *already* planning a February patch when the bug was
>> exploited by the second party?  I don't believe in coincidences.  I do
>> believe that humans are flawed creatures and a moment of weakness and 
>> greed
>> from one lowly intern can result in a privately disclosed flaw being sold 
>> to
>> an unscrupulous party willing to pay for and use it.  If I'm right then 
>> this
>> bug was in the hands of hackers in August when the bug was discovered. 
>> It
>> is a trivial flaw, so it could've been weaponized and the code sprayed on
>> forums starting from that point.
>>
>> If I'm right then this flaw has been on random websites for 6 months.  If
>> I'm wrong then it has been out for approximately 3 months.  That is still 
>> a
>> nice sized window for machines to get infected.
>>
>> Now let's look at the flaw itself.  MS has said it exists in IE6, 7, 
>> *and*
>> 8.  Most of the reported infections are XP with IE6.  But that is because
>> most of the *computers* in the world still run XP.  If a 2003 server 
>> running
>> IE8 gets infected, statistically that is still very low and won't get
>> reported in the general news-stream.  Microsoft has gone through great 
>> pains
>> to document what circumstances can help mitigate the attack.  DEP helps.
>> But particularly in SBS land, there are older servers that don't support 
>> DEP
>> still in production.  After a company has spent money on storage and
>> networking, they will, more often than not, go with a budget processor to
>> save a little money.  In 2006 that meant it was still server class; fast 
>> and
>> reliable, Xeon with a good amount of cache to keep speeds up, but without
>> 64-bit support (not needed with an SBS 2003 installation) and no
>> virtualization or DEP support either.  No DEP?  IE8 is just as vulnerable 
>> as
>> IE6.  So upgrading the browser offers *no* protection in this instance.
>>
>> Secondly is the "Enhanced Security Configuration" of IE on a server.  If 
>> you
>> even hit "known" sites like the MS download site, or Sun for Java, 
>> chances
>> are you've turned off ESC though.  It gets in the way.  ....and it 
>> removed a
>> barrier that MS has said protects against this attack.  Another reason to
>> not browse from the server, even to "known" sites. It makes you lazy, 
>> makes
>> you disable things that are better left enabled, and puts your server at
>> risk.
>>
>> Which brings me to my final point.  How do you know you can trust those
>> sites?  I recall when the Linksys homepage had "trending support topics" 
>> on
>> their homepage.  It was obviously a server-side snippet that would pull 
>> bits
>> of conversation from their forums that were seeing high response volumes 
>> and
>> post a few lines.  Since most forums are database driven, it is an easy
>> thing to implement.  And if one of those responses had a snippet of
>> javascript that exploited this code?  Just visiting a known site could
>> *still* get you infected. Banner ads are another great infection point, 
>> and
>> how many 3rd-party vendors have banner ads on their sites?
>>
>> And if we are going to be completely honest, if you are on the server to
>> install a driver, chances are you were browsing as an Administrator.  You
>> weren't going to log in as a standard user, download the driver, log out,
>> log in as Administrator, install, and log back out *again* were you?  So 
>> now
>> we have a situation where there was "browsing" (even in a limited sense)
>> with full *domain* administrator privileges, from a server with *no*
>> protection (DEP nor ESC) in the name of convenience, with an exploit that
>> has been in the wild for *months* without getting noticed.  Tell me that
>> isn't a recipe for disaster?
>>
>> I have said it before and I'll say it again. If I want to download 
>> something
>> from MS or Sun, I'll do so from a laptop and save it to a file-share so I
>> can access *just* the executable from the server.  Windows Update is the
>> obvious exception, but that is not by choice.  That is purely the 
>> decision
>> of MS to make the update process web-based in XP and 2003 thus making it
>> unavoidable in those OS's.
>>
>> In short? I cannot think of *any* reason to use the browser on a server.
>> Thus I don't need Flash or Silverlight.  I only need Java if a 3rd-party 
>> app
>> uses it for non-browser code (there are certainly a few.) And the browser
>> window only gets opened when an app does so (windows update, Sharepoint
>> Central Administration, etc.)  That also means, that unlike most people, 
>> the
>> servers I'm responsible for still have ESC enabled most of the time.
>>
>> ....
>>
>> I will agree with Ace though that there are other DLLs that the OS uses 
>> from
>> IE (for MMC rendering, etc) that make updating the browser itself a
>> worthwhile exercise.  Although I usually don't jump to the newest browser
>> until I know that some of the 3rd party apps that *also* use the IE 
>> engine
>> have also been updated so rendering errors don't cause more headache than
>> they are worth.
>>
>> So, is it time to say good-bye to IE6?  It certainly won't hurt anything.
>> But is that the solution to this latest threat?  Not in the least.  We 
>> need
>> to change our habits, not our browsers.
>>
>> -Cliff
>>
>>
>> "Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in 
>> message
>> news:OqNSDjFnKHA.5464@TK2MSFTNGP02.phx.gbl...
>> > "Russ SBITS.Biz [SBS-MVP]" <russ@REMOVETHIS.sbits.biz> wrote in message
>> > news:26A3CBB7-60FF-472B-B54E-0E121A22F5A4@microsoft.com...
>> >> I'm kind of with Cliff on this
>> >> From the server the only sites I visit is Microsoft Download
>> >> Sun Micro for Java
>> >> and Where the AV is Downloaded
>> >> (And any vendor sites like Drivers)
>> >>
>> >> I don't do any "surfing" from the clients server.
>> >> (That's why I have my laptop with security set to max)
>> >> And I tell my clients to NEVER surf from the server.
>> >> (Remember a server is a server not a work station.)
>> >>
>> >> Although the question is interesting...
>> >>
>> >> To me this is like asking if the toilet paper should roll from the 
>> >> bottom
>> >> or top.
>> >> and individual thing!
>> >>
>> >> However we all know that TP must roll from the Top.. :) Duh!
>> >> Russ
>> >>
>> >> -- 
>> >> Russell Grover - SBITS.Biz [SBS-MVP]
>> >> Microsoft Gold Certified Partner
>> >> Microsoft Certified Small Business Specialist
>> >> 24hr SBS Remote Support - http://www.SBITS.Biz
>> >> Microsoft Online Services - http://www.microsoft-online-services.com
>> >>
>> >
>> > I don't know about that. Some others in the household will put the roll 
>> > in
>> > backwards, but to them it's correct. :-)
>> >
>> > But I agree, I don't use my customer servers to browse. I will use my 
>> > own
>> > laptop while remoted into the server, such as when researching an 
>> > issue,
>> > then finding something relevant (such as a download fix, or code to 
>> > copy,
>> > etc), I'll copy/paste the URL to the RDP session to grab it.
>> >
>> > I also do update my all servers to IE8. I may be wrong, and I haven't
>> > researched this, but I believe there's other functionality and security
>> > features that are introduced into the OS with installing the newer
>> > browsers.
>> >
>> > -- 
>> > Ace
>> >
>> > This posting is provided "AS-IS" with no warranties or guarantees and
>> > confers no rights.
>> >
>> > Please reply back to the newsgroup or forum for collaboration benefit
>> > among responding engineers, and to help others benefit from your
>> > resolution.
>> >
>> > Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE 
>> > &
>> > MCSA 2003/2000, MCSA Messaging 2003
>> > Microsoft Certified Trainer
>> > Microsoft MVP - Directory Services
>> >
>> > If you feel this is an urgent issue and require immediate assistance,
>> > please contact Microsoft PSS directly. Please check
>> > http://support.microsoft.com for regional support phone numbers.
>> >
>> >
>> >
>> .
>> 
0
Cliff
1/23/2010 11:28:21 PM
Right.  Perhaps I should have been more explicit.  The bug has been around 
for 8 years, has been known to the Israeli company that found it since 
August, and to Microsoft since September.  How long actual exploit code has 
existed to take advantage of the bug is unknown, but certainly since *at 
least* December.  That leaves at least a 4-month window of an unknown 
existence....if not longer.  It is possible, albeit I think unlikely, than 
unscrupulous hacker really did discover this bug independently several years 
ago and has been slowly poisonig blogs and forums. That'd make the exploit 
"in the wild" even longer than MS knew about it.  Unlikely, as I said, but 
possible I suppose.  Regardless, there is easily a few months where this 
exploit *was* known, was not blocked or patched, and that AV software was 
completely unaware.  That is actually a large window if a person is in the 
habit of browsing from their server.

-Cliff


"Susan Bradley" <sbradcpa@pacbell.net> wrote in message 
news:ub$1GfGnKHA.1548@TK2MSFTNGP04.phx.gbl...
> Cliff Galiher - MVP wrote:
>> Okay, I feel strongly enough about this that I need to actually fully 
>> explain my position here.  This will probably be a long post, but...I 
>> hope...well worth the time to read.
>>
>> To understand "the google hack" and its risks, let me start by 
>> establishing a timeline, but I'll do so by working backwards.  First, we 
>> know that the bug was made public in mid-January.  But as news has 
>> trickled out about this, we now have learned that Google saw their 
>> servers being probed for information about "Chinese dissidents" in early 
>> December.  Now keep that in mind!  For google to get probed, it means 
>> that an admin password had already been disclosed by the bug, and that 
>> the infection rate was already high enough for this to have occurred. 
>> That means that the bug has *probaby* been exploited since *at least* 
>> November if not earlier.  After all, it takes some time for these 
>> exploits to get out, spread across enough sites that random visits will 
>> load it, and for it to reach a "critical mass." Based on the number of 
>> infections reported, I'd guess it has been in the wild for a few months.
>>
>> Now for my speculation.  Do I believe two people can independently find 
>> the same bug?  Yes, I do.  We've seen it before.  But this wasn't a *new* 
>> bug. It wasn't introduced with a patch.  It has been around for 8 years. 
>> So what are the chances that two people find the same 8-year old bug so 
>> close together that MS was *already* planning a February patch when the 
>> bug was exploited by the second party?  I don't believe in coincidences. 
>> I do believe that humans are flawed creatures and a moment of weakness 
>> and greed from one lowly intern can result in a privately disclosed flaw 
>> being sold to an unscrupulous party willing to pay for and use it.  If 
>> I'm right then this bug was in the hands of hackers in August when the 
>> bug was discovered.  It is a trivial flaw, so it could've been weaponized 
>> and the code sprayed on forums starting from that point.
>>
>> If I'm right then this flaw has been on random websites for 6 months.  If 
>> I'm wrong then it has been out for approximately 3 months.  That is still 
>> a nice sized window for machines to get infected.
>>
>> Now let's look at the flaw itself.  MS has said it exists in IE6, 7, 
>> *and* 8.  Most of the reported infections are XP with IE6.  But that is 
>> because most of the *computers* in the world still run XP.  If a 2003 
>> server running IE8 gets infected, statistically that is still very low 
>> and won't get reported in the general news-stream.  Microsoft has gone 
>> through great pains to document what circumstances can help mitigate the 
>> attack.  DEP helps. But particularly in SBS land, there are older servers 
>> that don't support DEP still in production.  After a company has spent 
>> money on storage and networking, they will, more often than not, go with 
>> a budget processor to save a little money.  In 2006 that meant it was 
>> still server class; fast and reliable, Xeon with a good amount of cache 
>> to keep speeds up, but without 64-bit support (not needed with an SBS 
>> 2003 installation) and no virtualization or DEP support either.  No DEP? 
>> IE8 is just as vulnerable as IE6.  So upgrading the browser offers *no* 
>> protection in this instance.
>>
>> Secondly is the "Enhanced Security Configuration" of IE on a server.  If 
>> you even hit "known" sites like the MS download site, or Sun for Java, 
>> chances are you've turned off ESC though.  It gets in the way.  ....and 
>> it removed a barrier that MS has said protects against this attack. 
>> Another reason to not browse from the server, even to "known" sites. It 
>> makes you lazy, makes you disable things that are better left enabled, 
>> and puts your server at risk.
>>
>> Which brings me to my final point.  How do you know you can trust those 
>> sites?  I recall when the Linksys homepage had "trending support topics" 
>> on their homepage.  It was obviously a server-side snippet that would 
>> pull bits of conversation from their forums that were seeing high 
>> response volumes and post a few lines.  Since most forums are database 
>> driven, it is an easy thing to implement.  And if one of those responses 
>> had a snippet of javascript that exploited this code?  Just visiting a 
>> known site could *still* get you infected. Banner ads are another great 
>> infection point, and how many 3rd-party vendors have banner ads on their 
>> sites?
>>
>> And if we are going to be completely honest, if you are on the server to 
>> install a driver, chances are you were browsing as an Administrator.  You 
>> weren't going to log in as a standard user, download the driver, log out, 
>> log in as Administrator, install, and log back out *again* were you?  So 
>> now we have a situation where there was "browsing" (even in a limited 
>> sense) with full *domain* administrator privileges, from a server with 
>> *no* protection (DEP nor ESC) in the name of convenience, with an exploit 
>> that has been in the wild for *months* without getting noticed.  Tell me 
>> that isn't a recipe for disaster?
>>
>> I have said it before and I'll say it again. If I want to download 
>> something from MS or Sun, I'll do so from a laptop and save it to a 
>> file-share so I can access *just* the executable from the server. 
>> Windows Update is the obvious exception, but that is not by choice.  That 
>> is purely the decision of MS to make the update process web-based in XP 
>> and 2003 thus making it unavoidable in those OS's.
>>
>> In short? I cannot think of *any* reason to use the browser on a server. 
>> Thus I don't need Flash or Silverlight.  I only need Java if a 3rd-party 
>> app uses it for non-browser code (there are certainly a few.) And the 
>> browser window only gets opened when an app does so (windows update, 
>> Sharepoint Central Administration, etc.)  That also means, that unlike 
>> most people, the servers I'm responsible for still have ESC enabled most 
>> of the time.
>>
>> ...
>>
>> I will agree with Ace though that there are other DLLs that the OS uses 
>> from IE (for MMC rendering, etc) that make updating the browser itself a 
>> worthwhile exercise.  Although I usually don't jump to the newest browser 
>> until I know that some of the 3rd party apps that *also* use the IE 
>> engine have also been updated so rendering errors don't cause more 
>> headache than they are worth.
>>
>> So, is it time to say good-bye to IE6?  It certainly won't hurt anything. 
>> But is that the solution to this latest threat?  Not in the least.  We 
>> need to change our habits, not our browsers.
>>
>> -Cliff
>>
>>
>> "Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in 
>> message news:OqNSDjFnKHA.5464@TK2MSFTNGP02.phx.gbl...
>>> "Russ SBITS.Biz [SBS-MVP]" <russ@REMOVETHIS.sbits.biz> wrote in message 
>>> news:26A3CBB7-60FF-472B-B54E-0E121A22F5A4@microsoft.com...
>>>> I'm kind of with Cliff on this
>>>> From the server the only sites I visit is Microsoft Download
>>>> Sun Micro for Java
>>>> and Where the AV is Downloaded
>>>> (And any vendor sites like Drivers)
>>>>
>>>> I don't do any "surfing" from the clients server.
>>>> (That's why I have my laptop with security set to max)
>>>> And I tell my clients to NEVER surf from the server.
>>>> (Remember a server is a server not a work station.)
>>>>
>>>> Although the question is interesting...
>>>>
>>>> To me this is like asking if the toilet paper should roll from the 
>>>> bottom or top.
>>>> and individual thing!
>>>>
>>>> However we all know that TP must roll from the Top.. :) Duh!
>>>> Russ
>>>>
>>>> -- 
>>>> Russell Grover - SBITS.Biz [SBS-MVP]
>>>> Microsoft Gold Certified Partner
>>>> Microsoft Certified Small Business Specialist
>>>> 24hr SBS Remote Support - http://www.SBITS.Biz
>>>> Microsoft Online Services - http://www.microsoft-online-services.com
>>>>
>>>
>>> I don't know about that. Some others in the household will put the roll 
>>> in backwards, but to them it's correct. :-)
>>>
>>> But I agree, I don't use my customer servers to browse. I will use my 
>>> own laptop while remoted into the server, such as when researching an 
>>> issue, then finding something relevant (such as a download fix, or code 
>>> to copy, etc), I'll copy/paste the URL to the RDP session to grab it.
>>>
>>> I also do update my all servers to IE8. I may be wrong, and I haven't 
>>> researched this, but I believe there's other functionality and security 
>>> features that are introduced into the OS with installing the newer 
>>> browsers.
>>>
>>> -- 
>>> Ace
>>>
>>> This posting is provided "AS-IS" with no warranties or guarantees and 
>>> confers no rights.
>>>
>>> Please reply back to the newsgroup or forum for collaboration benefit 
>>> among responding engineers, and to help others benefit from your 
>>> resolution.
>>>
>>> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & 
>>> MCSA 2003/2000, MCSA Messaging 2003
>>> Microsoft Certified Trainer
>>> Microsoft MVP - Directory Services
>>>
>>> If you feel this is an urgent issue and require immediate assistance, 
>>> please contact Microsoft PSS directly. Please check 
>>> http://support.microsoft.com for regional support phone numbers.
>>>
>>>
>>>
> MS officially knew about the bug since September. 

0
Cliff
1/23/2010 11:32:39 PM
"Cliff Galiher - MVP" <cgaliher@gmail.com> wrote in message 
news:110C17C9-E3AD-4601-88A1-FFB99BF8BD23@microsoft.com...
> Right.  Perhaps I should have been more explicit.  The bug has been around 
> for 8 years, has been known to the Israeli company that found it since 
> August, and to Microsoft since September.  How long actual exploit code 
> has existed to take advantage of the bug is unknown, but certainly since 
> *at least* December.  That leaves at least a 4-month window of an unknown 
> existence....if not longer.  It is possible, albeit I think unlikely, than 
> unscrupulous hacker really did discover this bug independently several 
> years ago and has been slowly poisonig blogs and forums. That'd make the 
> exploit "in the wild" even longer than MS knew about it.  Unlikely, as I 
> said, but possible I suppose.  Regardless, there is easily a few months 
> where this exploit *was* known, was not blocked or patched, and that AV 
> software was completely unaware.  That is actually a large window if a 
> person is in the habit of browsing from their server.
>
> -Cliff
>


Cliff, excellent write-up. Point taken. It makes sense to refrain using a 
server and (in my case), download it to my laptop, and ftp it back to the 
customer site, as a best practice moving forward.

Ace 


0
Ace
1/24/2010 5:02:20 AM
Nobody may be following this thread but I offer a sidebar. I hear the
computer alarm go off last night. My wife starts fussing Yahoo and
praising Avast. It seems that Yahoo has been infected for a while now.
I am not sure what specific area she was going to but it was probably
one of  her list serves that Yahoo hosts. The point is big name web
sites can be infected and the big name has no clue it is. Little sites
can also be infected and they have no clue. In fact one of the
non-profits I visited recently to give a proposal was complaining that
their web site has been hit a few times over the past 6 months. They
are blaming the big name hosting company which might be true. Or it
could be lame passwords somewhere or just bad code that allows
injection of some sort. That is not an area I know much about. Point
is web sites are dirty and it is not just prurient websites that can
be dirty. 

On Sat, 23 Jan 2010 16:28:21 -0700, "Cliff Galiher - MVP"
<cgaliher@gmail.com> wrote:

>Just because IE8 had this flaw doesn't mean it is as insecure as IE6.  Think 
>of IE (or any browser that has been around awhile) as that old 1800's 
>mansion that almost every town on the east coast has.  Chances are that over 
>the years, owners have installed burglar alarms, motion detectors, and 
>have...generally...upgraded security on the premises.  But there is always 
>the chance that an old coal shaft got boarded up in 1927 and nobody knew 
>about it, forgot about it, or for whatever reason it was an oversight.  If 
>someone were to discover that shaft, they could get into the house 
>undetected.
>
>That is what happened here.  IE8 is more secure than IE7 and IE6. 
>Independent security testers have universally shown this to be true.  Note 
>that I'm only comparing IE8 to previous versions of IE.  I am not saying 
>that IE8 is more or less secure than other *competing* browsers...as that is 
>not the point of this subject.  IE8 is more secure.  Is there something 
>"special" about IE8 on Win2k8 though?  Nope.  This bug could get IE8 on XP, 
>Vista, and Win2k8.
>
>The reason this seemed to get IE6 on XP though is because those are the 
>oldest and most popular machines running.  It is more likely that a machine 
>capable of running Vista or Win2k8 is also new enough to have a DEP-capable 
>processor.  And as I already covered, DEP is a mitigating factor.  So in 
>that regard, it isn't that IE8 is different, but the underlying "stuff" is 
>different, and thus also adds some security (unless you went and disabled 
>DEP and/or ESC.)  But again, just in regards to THIS attack, good practices 
>like not browsing from the server would have helped protect your server 
>regardless of browser version, and bad practices would have exposed you.  So 
>yes, IE8 is a worthwhile improvement *IF* it doesn't break other things 
>(which it could! so testing is essential!!!) but it isn't the silver bullet 
>to give you reign to start doing things that you ought not do on a server.
>
>-Cliff
>
>
>"Joe#2" <Joe2@discussions.microsoft.com> wrote in message 
>news:ABE1DB49-C2FF-4FB1-89D3-7F0DA02E7C71@microsoft.com...
>> I'm in full agreement about surfing on the server. After reading many of 
>> the
>> past messages on this subject, I just don't hardly almost never succumb to
>> that temptation.  I have restricted it to essential only. Quite frankly 
>> I'm
>> almost getting paranoid though about everything.
>>
>> Which brings me back around to IE8. Is it a more secure browser ro not? 
>> Does
>> it have protection builtin that inherantly raises the level or your 
>> server.
>> Also, again is the version on W2008 in anyway different other than ESP 
>> being
>> on?
>>
>> "Cliff Galiher - MVP" wrote:
>>
>>> Okay, I feel strongly enough about this that I need to actually fully
>>> explain my position here.  This will probably be a long post, but...I
>>> hope...well worth the time to read.
>>>
>>> To understand "the google hack" and its risks, let me start by 
>>> establishing
>>> a timeline, but I'll do so by working backwards.  First, we know that the
>>> bug was made public in mid-January.  But as news has trickled out about
>>> this, we now have learned that Google saw their servers being probed for
>>> information about "Chinese dissidents" in early December.  Now keep that 
>>> in
>>> mind!  For google to get probed, it means that an admin password had 
>>> already
>>> been disclosed by the bug, and that the infection rate was already high
>>> enough for this to have occurred.  That means that the bug has *probaby*
>>> been exploited since *at least* November if not earlier.  After all, it
>>> takes some time for these exploits to get out, spread across enough sites
>>> that random visits will load it, and for it to reach a "critical mass."
>>> Based on the number of infections reported, I'd guess it has been in the
>>> wild for a few months.
>>>
>>> Now for my speculation.  Do I believe two people can independently find 
>>> the
>>> same bug?  Yes, I do.  We've seen it before.  But this wasn't a *new* 
>>> bug.
>>> It wasn't introduced with a patch.  It has been around for 8 years.  So 
>>> what
>>> are the chances that two people find the same 8-year old bug so close
>>> together that MS was *already* planning a February patch when the bug was
>>> exploited by the second party?  I don't believe in coincidences.  I do
>>> believe that humans are flawed creatures and a moment of weakness and 
>>> greed
>>> from one lowly intern can result in a privately disclosed flaw being sold 
>>> to
>>> an unscrupulous party willing to pay for and use it.  If I'm right then 
>>> this
>>> bug was in the hands of hackers in August when the bug was discovered. 
>>> It
>>> is a trivial flaw, so it could've been weaponized and the code sprayed on
>>> forums starting from that point.
>>>
>>> If I'm right then this flaw has been on random websites for 6 months.  If
>>> I'm wrong then it has been out for approximately 3 months.  That is still 
>>> a
>>> nice sized window for machines to get infected.
>>>
>>> Now let's look at the flaw itself.  MS has said it exists in IE6, 7, 
>>> *and*
>>> 8.  Most of the reported infections are XP with IE6.  But that is because
>>> most of the *computers* in the world still run XP.  If a 2003 server 
>>> running
>>> IE8 gets infected, statistically that is still very low and won't get
>>> reported in the general news-stream.  Microsoft has gone through great 
>>> pains
>>> to document what circumstances can help mitigate the attack.  DEP helps.
>>> But particularly in SBS land, there are older servers that don't support 
>>> DEP
>>> still in production.  After a company has spent money on storage and
>>> networking, they will, more often than not, go with a budget processor to
>>> save a little money.  In 2006 that meant it was still server class; fast 
>>> and
>>> reliable, Xeon with a good amount of cache to keep speeds up, but without
>>> 64-bit support (not needed with an SBS 2003 installation) and no
>>> virtualization or DEP support either.  No DEP?  IE8 is just as vulnerable 
>>> as
>>> IE6.  So upgrading the browser offers *no* protection in this instance.
>>>
>>> Secondly is the "Enhanced Security Configuration" of IE on a server.  If 
>>> you
>>> even hit "known" sites like the MS download site, or Sun for Java, 
>>> chances
>>> are you've turned off ESC though.  It gets in the way.  ....and it 
>>> removed a
>>> barrier that MS has said protects against this attack.  Another reason to
>>> not browse from the server, even to "known" sites. It makes you lazy, 
>>> makes
>>> you disable things that are better left enabled, and puts your server at
>>> risk.
>>>
>>> Which brings me to my final point.  How do you know you can trust those
>>> sites?  I recall when the Linksys homepage had "trending support topics" 
>>> on
>>> their homepage.  It was obviously a server-side snippet that would pull 
>>> bits
>>> of conversation from their forums that were seeing high response volumes 
>>> and
>>> post a few lines.  Since most forums are database driven, it is an easy
>>> thing to implement.  And if one of those responses had a snippet of
>>> javascript that exploited this code?  Just visiting a known site could
>>> *still* get you infected. Banner ads are another great infection point, 
>>> and
>>> how many 3rd-party vendors have banner ads on their sites?
>>>
>>> And if we are going to be completely honest, if you are on the server to
>>> install a driver, chances are you were browsing as an Administrator.  You
>>> weren't going to log in as a standard user, download the driver, log out,
>>> log in as Administrator, install, and log back out *again* were you?  So 
>>> now
>>> we have a situation where there was "browsing" (even in a limited sense)
>>> with full *domain* administrator privileges, from a server with *no*
>>> protection (DEP nor ESC) in the name of convenience, with an exploit that
>>> has been in the wild for *months* without getting noticed.  Tell me that
>>> isn't a recipe for disaster?
>>>
>>> I have said it before and I'll say it again. If I want to download 
>>> something
>>> from MS or Sun, I'll do so from a laptop and save it to a file-share so I
>>> can access *just* the executable from the server.  Windows Update is the
>>> obvious exception, but that is not by choice.  That is purely the 
>>> decision
>>> of MS to make the update process web-based in XP and 2003 thus making it
>>> unavoidable in those OS's.
>>>
>>> In short? I cannot think of *any* reason to use the browser on a server.
>>> Thus I don't need Flash or Silverlight.  I only need Java if a 3rd-party 
>>> app
>>> uses it for non-browser code (there are certainly a few.) And the browser
>>> window only gets opened when an app does so (windows update, Sharepoint
>>> Central Administration, etc.)  That also means, that unlike most people, 
>>> the
>>> servers I'm responsible for still have ESC enabled most of the time.
>>>
>>> ....
>>>
>>> I will agree with Ace though that there are other DLLs that the OS uses 
>>> from
>>> IE (for MMC rendering, etc) that make updating the browser itself a
>>> worthwhile exercise.  Although I usually don't jump to the newest browser
>>> until I know that some of the 3rd party apps that *also* use the IE 
>>> engine
>>> have also been updated so rendering errors don't cause more headache than
>>> they are worth.
>>>
>>> So, is it time to say good-bye to IE6?  It certainly won't hurt anything.
>>> But is that the solution to this latest threat?  Not in the least.  We 
>>> need
>>> to change our habits, not our browsers.
>>>
>>> -Cliff
>>>
>>>
>>> "Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in 
>>> message
>>> news:OqNSDjFnKHA.5464@TK2MSFTNGP02.phx.gbl...
>>> > "Russ SBITS.Biz [SBS-MVP]" <russ@REMOVETHIS.sbits.biz> wrote in message
>>> > news:26A3CBB7-60FF-472B-B54E-0E121A22F5A4@microsoft.com...
>>> >> I'm kind of with Cliff on this
>>> >> From the server the only sites I visit is Microsoft Download
>>> >> Sun Micro for Java
>>> >> and Where the AV is Downloaded
>>> >> (And any vendor sites like Drivers)
>>> >>
>>> >> I don't do any "surfing" from the clients server.
>>> >> (That's why I have my laptop with security set to max)
>>> >> And I tell my clients to NEVER surf from the server.
>>> >> (Remember a server is a server not a work station.)
>>> >>
>>> >> Although the question is interesting...
>>> >>
>>> >> To me this is like asking if the toilet paper should roll from the 
>>> >> bottom
>>> >> or top.
>>> >> and individual thing!
>>> >>
>>> >> However we all know that TP must roll from the Top.. :) Duh!
>>> >> Russ
>>> >>
>>> >> -- 
>>> >> Russell Grover - SBITS.Biz [SBS-MVP]
>>> >> Microsoft Gold Certified Partner
>>> >> Microsoft Certified Small Business Specialist
>>> >> 24hr SBS Remote Support - http://www.SBITS.Biz
>>> >> Microsoft Online Services - http://www.microsoft-online-services.com
>>> >>
>>> >
>>> > I don't know about that. Some others in the household will put the roll 
>>> > in
>>> > backwards, but to them it's correct. :-)
>>> >
>>> > But I agree, I don't use my customer servers to browse. I will use my 
>>> > own
>>> > laptop while remoted into the server, such as when researching an 
>>> > issue,
>>> > then finding something relevant (such as a download fix, or code to 
>>> > copy,
>>> > etc), I'll copy/paste the URL to the RDP session to grab it.
>>> >
>>> > I also do update my all servers to IE8. I may be wrong, and I haven't
>>> > researched this, but I believe there's other functionality and security
>>> > features that are introduced into the OS with installing the newer
>>> > browsers.
>>> >
>>> > -- 
>>> > Ace
>>> >
>>> > This posting is provided "AS-IS" with no warranties or guarantees and
>>> > confers no rights.
>>> >
>>> > Please reply back to the newsgroup or forum for collaboration benefit
>>> > among responding engineers, and to help others benefit from your
>>> > resolution.
>>> >
>>> > Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE 
>>> > &
>>> > MCSA 2003/2000, MCSA Messaging 2003
>>> > Microsoft Certified Trainer
>>> > Microsoft MVP - Directory Services
>>> >
>>> > If you feel this is an urgent issue and require immediate assistance,
>>> > please contact Microsoft PSS directly. Please check
>>> > http://support.microsoft.com for regional support phone numbers.
>>> >
>>> >
>>> >
>>> .
>>> 
See what SBS support is working on
http://blogs.technet.com/sbs/default.aspx
Check your SBS with the SBS Best Practices Analyzer
http://blogs.technet.com/sbs/archive/tags/BPA/default.aspx
0
Jim
1/24/2010 3:09:34 PM
I was under the impression that upgrading the browser from IE6 broke some of 
the wizards in SBS 2003 -
On my 1st install (out of the 3 installs) I immeadiatly upgraded to IE7 
(newest at the time) and could not continue because some of the wizards (I 
can't remember which) did not work.  I assumed it was the browser upgrade, 
but apparently I was wrong.  I blew that install away and re-installed, and 
kept the server at IE6 ever since.

So can I upgrade the server to IE8 without breaking anything?
Has it caused any wizard issues that you are aware of, Ace?  Maybe my 
install back then was screwed up before I did the upgrade.
I understand not to browse from it, but at least then I can get rid of the 
offers to upgrade from WSUS that I have been ignoring for the past 2 or so 
years.

"Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message 
news:OqNSDjFnKHA.5464@TK2MSFTNGP02.phx.gbl...
> "Russ SBITS.Biz [SBS-MVP]" <russ@REMOVETHIS.sbits.biz> wrote in message 
> news:26A3CBB7-60FF-472B-B54E-0E121A22F5A4@microsoft.com...
>> I'm kind of with Cliff on this
>> From the server the only sites I visit is Microsoft Download
>> Sun Micro for Java
>> and Where the AV is Downloaded
>> (And any vendor sites like Drivers)
>>
>> I don't do any "surfing" from the clients server.
>> (That's why I have my laptop with security set to max)
>> And I tell my clients to NEVER surf from the server.
>> (Remember a server is a server not a work station.)
>>
>> Although the question is interesting...
>>
>> To me this is like asking if the toilet paper should roll from the bottom 
>> or top.
>> and individual thing!
>>
>> However we all know that TP must roll from the Top.. :) Duh!
>> Russ
>>
>> -- 
>> Russell Grover - SBITS.Biz [SBS-MVP]
>> Microsoft Gold Certified Partner
>> Microsoft Certified Small Business Specialist
>> 24hr SBS Remote Support - http://www.SBITS.Biz
>> Microsoft Online Services - http://www.microsoft-online-services.com
>>
>
> I don't know about that. Some others in the household will put the roll in 
> backwards, but to them it's correct. :-)
>
> But I agree, I don't use my customer servers to browse. I will use my own 
> laptop while remoted into the server, such as when researching an issue, 
> then finding something relevant (such as a download fix, or code to copy, 
> etc), I'll copy/paste the URL to the RDP session to grab it.
>
> I also do update my all servers to IE8. I may be wrong, and I haven't 
> researched this, but I believe there's other functionality and security 
> features that are introduced into the OS with installing the newer 
> browsers.
>
> -- 
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and 
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit 
> among responding engineers, and to help others benefit from your 
> resolution.
>
> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & 
> MCSA 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
> Microsoft MVP - Directory Services
>
> If you feel this is an urgent issue and require immediate assistance, 
> please contact Microsoft PSS directly. Please check 
> http://support.microsoft.com for regional support phone numbers.
>
>
> 


0
M
1/25/2010 2:48:40 PM
As long as you are installing *all* SBS updates, you can upgrade IE as well. 
It doesn't break anything internally on SBS.  It *may* break 3rd-party apps 
however.  Some older apps, in particular, may not like the newer IE 
renderers and this can cause problems.  So backup, backup, backup, and test.

-Cliff


"M. Murphy" <MMurphy@discussions.microsoft.com> wrote in message 
news:edf$R2cnKHA.6084@TK2MSFTNGP02.phx.gbl...
> I was under the impression that upgrading the browser from IE6 broke some 
> of the wizards in SBS 2003 -
> On my 1st install (out of the 3 installs) I immeadiatly upgraded to IE7 
> (newest at the time) and could not continue because some of the wizards (I 
> can't remember which) did not work.  I assumed it was the browser upgrade, 
> but apparently I was wrong.  I blew that install away and re-installed, 
> and kept the server at IE6 ever since.
>
> So can I upgrade the server to IE8 without breaking anything?
> Has it caused any wizard issues that you are aware of, Ace?  Maybe my 
> install back then was screwed up before I did the upgrade.
> I understand not to browse from it, but at least then I can get rid of the 
> offers to upgrade from WSUS that I have been ignoring for the past 2 or so 
> years.
>
> "Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in 
> message news:OqNSDjFnKHA.5464@TK2MSFTNGP02.phx.gbl...
>> "Russ SBITS.Biz [SBS-MVP]" <russ@REMOVETHIS.sbits.biz> wrote in message 
>> news:26A3CBB7-60FF-472B-B54E-0E121A22F5A4@microsoft.com...
>>> I'm kind of with Cliff on this
>>> From the server the only sites I visit is Microsoft Download
>>> Sun Micro for Java
>>> and Where the AV is Downloaded
>>> (And any vendor sites like Drivers)
>>>
>>> I don't do any "surfing" from the clients server.
>>> (That's why I have my laptop with security set to max)
>>> And I tell my clients to NEVER surf from the server.
>>> (Remember a server is a server not a work station.)
>>>
>>> Although the question is interesting...
>>>
>>> To me this is like asking if the toilet paper should roll from the 
>>> bottom or top.
>>> and individual thing!
>>>
>>> However we all know that TP must roll from the Top.. :) Duh!
>>> Russ
>>>
>>> -- 
>>> Russell Grover - SBITS.Biz [SBS-MVP]
>>> Microsoft Gold Certified Partner
>>> Microsoft Certified Small Business Specialist
>>> 24hr SBS Remote Support - http://www.SBITS.Biz
>>> Microsoft Online Services - http://www.microsoft-online-services.com
>>>
>>
>> I don't know about that. Some others in the household will put the roll 
>> in backwards, but to them it's correct. :-)
>>
>> But I agree, I don't use my customer servers to browse. I will use my own 
>> laptop while remoted into the server, such as when researching an issue, 
>> then finding something relevant (such as a download fix, or code to copy, 
>> etc), I'll copy/paste the URL to the RDP session to grab it.
>>
>> I also do update my all servers to IE8. I may be wrong, and I haven't 
>> researched this, but I believe there's other functionality and security 
>> features that are introduced into the OS with installing the newer 
>> browsers.
>>
>> -- 
>> Ace
>>
>> This posting is provided "AS-IS" with no warranties or guarantees and 
>> confers no rights.
>>
>> Please reply back to the newsgroup or forum for collaboration benefit 
>> among responding engineers, and to help others benefit from your 
>> resolution.
>>
>> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & 
>> MCSA 2003/2000, MCSA Messaging 2003
>> Microsoft Certified Trainer
>> Microsoft MVP - Directory Services
>>
>> If you feel this is an urgent issue and require immediate assistance, 
>> please contact Microsoft PSS directly. Please check 
>> http://support.microsoft.com for regional support phone numbers.
>>
>>
>>
>
> 
0
Cliff
1/25/2010 5:14:27 PM
        You may as well switch to IE8 for everything at this point unless 
you have an application that explicitly states that it is not compatible 
with IE8. That will keep you relatively safe from accusations of negligence; 
what more can one do? Get it on the server, get it on all your workstations. 
It's the only way to cover yourself.

        That said, the problem is not the browser or the operating system. 
It's the whole concept that outsiders can reprogram your computer, 
regardless of the reason. That is what has to end if Internet is to continue 
to exist in any usable form. Constant updating is a plague on software and 
Internet and it is not sustainable in the long run. The answer to bad code 
and bad updates seems to be more bad code and more bad updates. Microsoft is 
still finding buffer overrun vulnerabilities in its code after all these 
years-- will it ever end? No.

        I think eventually everything will come around to the concept of a 
dumb terminal-- something that no one can reprogram. I also think that 
updates are nothing more than a crutch for software developers who can't get 
it right the first time-- or the second time-- or even the 98th time. The 
only hope for computing is to get off the updating merry-go-round once and 
for all. You buy a piece of software and you use it out of the box-- or 
maybe you buy a whole computer and use it exactly as it was delivered, 
without ANY updates or patches or fixes, because it works right from the 
start. You want to connect to your bank, you use the remote desktop client 
that came with the computer and the bank worries about its mainframe.

        An update is nothing more than a software recall. Imagine if your 
car were recalled once a month, and if you drove it to the shop to be fixed, 
you might not be able to drive it home that night because it wouldn't even 
start. That has to end, and a new browser or a new operating system or just 
one more little update won't do the job. We need a whole new philosophy of 
computing. It will come, because it has to. Otherwise, Internet and maybe 
even computers in general will find themselves on the ash heap of history.

"Joe#2" <Joe2@discussions.microsoft.com> wrote in message 
news:E87C96B6-5C60-4DAB-B026-03229D189E10@microsoft.com...
> An article in the Wall Street Journal on 1-22-2010 titled "Microsoft
> Scrambles To Patch Browser"  states the the Goverment of France and 
> Germany
> publicaly announced that internet users not use IE, that users switch to a
> competing software until Microsoft issues a security patch. (The patch was
> resleased this week)
>
> To read the article go to :
> http://online.wsj.com/article/SB20001424052748703405704575015421102972994.html
>
> The following is a quote from the article and includes a comment from
> Microsoft:
>
> "The current security hole in Internet Explorer also highlights how
> difficult it is, in practice, to persuade Web users to change their 
> habits.
> While all versions of Internet Explorer contain the vulnerability, 
> Microsoft
> said it can only be exploited effectively in Internet Explorer 6, a 
> version
> of the browser that came out more than eight years ago.
>
> Still, Internet Explorer 6 remains the most popular browser version,
> accounting for just under 21% of traffic to Web sites, slightly ahead of
> Microsoft's more-secure Internet Explorer 8, according to researchers at 
> Net
> Applications."
>
> I posted a question [ IE6 vs IE& vs IE8 on SBS ] to this forum a last May
> about using IE6 and a lot of good comments resulted.
>
>
> I'm beginning to wonder if it is time to go to IE8 on the server. 
> Personally
> I've been hassed several times by IE8, and have gotten to the point when I 
> do
> install it on a desktop I don't elect a lot  of the features it offers. 
> Some
> say it is a problem with W2003, but isn't it standard in W2008? Is the 
> server
> download different than the desktop download?
>
> Looking forward to your input.
>
> Joe
>
>
>
>
> 


0
Andrew
1/26/2010 3:24:07 AM
I can attest to most of those details.  The two most recent antimalware 
alarms in my office were from a reputable travel site, and from a non-profit 
operated site for fundraisers.  The first involved an infected banner 
ad--that was about two years ago, and the second hacked code on the site.

In both cases, the problem was corrected quickly--we took the time to get in 
touch with the right folks--but this can happen to anyone--you don't have to 
be surfing for porn or song lyrics.


"Jim Behning SBS MVP" <jimbehning@doesthisblockpork.mindspring.com> wrote in 
message news:ecjol55hhodjttf3v05re6rnfcifbc6f6n@4ax.com...
> Nobody may be following this thread but I offer a sidebar. I hear the
> computer alarm go off last night. My wife starts fussing Yahoo and
> praising Avast. It seems that Yahoo has been infected for a while now.
> I am not sure what specific area she was going to but it was probably
> one of  her list serves that Yahoo hosts. The point is big name web
> sites can be infected and the big name has no clue it is. Little sites
> can also be infected and they have no clue. In fact one of the
> non-profits I visited recently to give a proposal was complaining that
> their web site has been hit a few times over the past 6 months. They
> are blaming the big name hosting company which might be true. Or it
> could be lame passwords somewhere or just bad code that allows
> injection of some sort. That is not an area I know much about. Point
> is web sites are dirty and it is not just prurient websites that can
> be dirty.
>
> On Sat, 23 Jan 2010 16:28:21 -0700, "Cliff Galiher - MVP"
> <cgaliher@gmail.com> wrote:
>
>>Just because IE8 had this flaw doesn't mean it is as insecure as IE6. 
>>Think
>>of IE (or any browser that has been around awhile) as that old 1800's
>>mansion that almost every town on the east coast has.  Chances are that 
>>over
>>the years, owners have installed burglar alarms, motion detectors, and
>>have...generally...upgraded security on the premises.  But there is always
>>the chance that an old coal shaft got boarded up in 1927 and nobody knew
>>about it, forgot about it, or for whatever reason it was an oversight.  If
>>someone were to discover that shaft, they could get into the house
>>undetected.
>>
>>That is what happened here.  IE8 is more secure than IE7 and IE6.
>>Independent security testers have universally shown this to be true.  Note
>>that I'm only comparing IE8 to previous versions of IE.  I am not saying
>>that IE8 is more or less secure than other *competing* browsers...as that 
>>is
>>not the point of this subject.  IE8 is more secure.  Is there something
>>"special" about IE8 on Win2k8 though?  Nope.  This bug could get IE8 on 
>>XP,
>>Vista, and Win2k8.
>>
>>The reason this seemed to get IE6 on XP though is because those are the
>>oldest and most popular machines running.  It is more likely that a 
>>machine
>>capable of running Vista or Win2k8 is also new enough to have a 
>>DEP-capable
>>processor.  And as I already covered, DEP is a mitigating factor.  So in
>>that regard, it isn't that IE8 is different, but the underlying "stuff" is
>>different, and thus also adds some security (unless you went and disabled
>>DEP and/or ESC.)  But again, just in regards to THIS attack, good 
>>practices
>>like not browsing from the server would have helped protect your server
>>regardless of browser version, and bad practices would have exposed you. 
>>So
>>yes, IE8 is a worthwhile improvement *IF* it doesn't break other things
>>(which it could! so testing is essential!!!) but it isn't the silver 
>>bullet
>>to give you reign to start doing things that you ought not do on a server.
>>
>>-Cliff
>>
>>
>>"Joe#2" <Joe2@discussions.microsoft.com> wrote in message
>>news:ABE1DB49-C2FF-4FB1-89D3-7F0DA02E7C71@microsoft.com...
>>> I'm in full agreement about surfing on the server. After reading many of
>>> the
>>> past messages on this subject, I just don't hardly almost never succumb 
>>> to
>>> that temptation.  I have restricted it to essential only. Quite frankly
>>> I'm
>>> almost getting paranoid though about everything.
>>>
>>> Which brings me back around to IE8. Is it a more secure browser ro not?
>>> Does
>>> it have protection builtin that inherantly raises the level or your
>>> server.
>>> Also, again is the version on W2008 in anyway different other than ESP
>>> being
>>> on?
>>>
>>> "Cliff Galiher - MVP" wrote:
>>>
>>>> Okay, I feel strongly enough about this that I need to actually fully
>>>> explain my position here.  This will probably be a long post, but...I
>>>> hope...well worth the time to read.
>>>>
>>>> To understand "the google hack" and its risks, let me start by
>>>> establishing
>>>> a timeline, but I'll do so by working backwards.  First, we know that 
>>>> the
>>>> bug was made public in mid-January.  But as news has trickled out about
>>>> this, we now have learned that Google saw their servers being probed 
>>>> for
>>>> information about "Chinese dissidents" in early December.  Now keep 
>>>> that
>>>> in
>>>> mind!  For google to get probed, it means that an admin password had
>>>> already
>>>> been disclosed by the bug, and that the infection rate was already high
>>>> enough for this to have occurred.  That means that the bug has 
>>>> *probaby*
>>>> been exploited since *at least* November if not earlier.  After all, it
>>>> takes some time for these exploits to get out, spread across enough 
>>>> sites
>>>> that random visits will load it, and for it to reach a "critical mass."
>>>> Based on the number of infections reported, I'd guess it has been in 
>>>> the
>>>> wild for a few months.
>>>>
>>>> Now for my speculation.  Do I believe two people can independently find
>>>> the
>>>> same bug?  Yes, I do.  We've seen it before.  But this wasn't a *new*
>>>> bug.
>>>> It wasn't introduced with a patch.  It has been around for 8 years.  So
>>>> what
>>>> are the chances that two people find the same 8-year old bug so close
>>>> together that MS was *already* planning a February patch when the bug 
>>>> was
>>>> exploited by the second party?  I don't believe in coincidences.  I do
>>>> believe that humans are flawed creatures and a moment of weakness and
>>>> greed
>>>> from one lowly intern can result in a privately disclosed flaw being 
>>>> sold
>>>> to
>>>> an unscrupulous party willing to pay for and use it.  If I'm right then
>>>> this
>>>> bug was in the hands of hackers in August when the bug was discovered.
>>>> It
>>>> is a trivial flaw, so it could've been weaponized and the code sprayed 
>>>> on
>>>> forums starting from that point.
>>>>
>>>> If I'm right then this flaw has been on random websites for 6 months. 
>>>> If
>>>> I'm wrong then it has been out for approximately 3 months.  That is 
>>>> still
>>>> a
>>>> nice sized window for machines to get infected.
>>>>
>>>> Now let's look at the flaw itself.  MS has said it exists in IE6, 7,
>>>> *and*
>>>> 8.  Most of the reported infections are XP with IE6.  But that is 
>>>> because
>>>> most of the *computers* in the world still run XP.  If a 2003 server
>>>> running
>>>> IE8 gets infected, statistically that is still very low and won't get
>>>> reported in the general news-stream.  Microsoft has gone through great
>>>> pains
>>>> to document what circumstances can help mitigate the attack.  DEP 
>>>> helps.
>>>> But particularly in SBS land, there are older servers that don't 
>>>> support
>>>> DEP
>>>> still in production.  After a company has spent money on storage and
>>>> networking, they will, more often than not, go with a budget processor 
>>>> to
>>>> save a little money.  In 2006 that meant it was still server class; 
>>>> fast
>>>> and
>>>> reliable, Xeon with a good amount of cache to keep speeds up, but 
>>>> without
>>>> 64-bit support (not needed with an SBS 2003 installation) and no
>>>> virtualization or DEP support either.  No DEP?  IE8 is just as 
>>>> vulnerable
>>>> as
>>>> IE6.  So upgrading the browser offers *no* protection in this instance.
>>>>
>>>> Secondly is the "Enhanced Security Configuration" of IE on a server. 
>>>> If
>>>> you
>>>> even hit "known" sites like the MS download site, or Sun for Java,
>>>> chances
>>>> are you've turned off ESC though.  It gets in the way.  ....and it
>>>> removed a
>>>> barrier that MS has said protects against this attack.  Another reason 
>>>> to
>>>> not browse from the server, even to "known" sites. It makes you lazy,
>>>> makes
>>>> you disable things that are better left enabled, and puts your server 
>>>> at
>>>> risk.
>>>>
>>>> Which brings me to my final point.  How do you know you can trust those
>>>> sites?  I recall when the Linksys homepage had "trending support 
>>>> topics"
>>>> on
>>>> their homepage.  It was obviously a server-side snippet that would pull
>>>> bits
>>>> of conversation from their forums that were seeing high response 
>>>> volumes
>>>> and
>>>> post a few lines.  Since most forums are database driven, it is an easy
>>>> thing to implement.  And if one of those responses had a snippet of
>>>> javascript that exploited this code?  Just visiting a known site could
>>>> *still* get you infected. Banner ads are another great infection point,
>>>> and
>>>> how many 3rd-party vendors have banner ads on their sites?
>>>>
>>>> And if we are going to be completely honest, if you are on the server 
>>>> to
>>>> install a driver, chances are you were browsing as an Administrator. 
>>>> You
>>>> weren't going to log in as a standard user, download the driver, log 
>>>> out,
>>>> log in as Administrator, install, and log back out *again* were you? 
>>>> So
>>>> now
>>>> we have a situation where there was "browsing" (even in a limited 
>>>> sense)
>>>> with full *domain* administrator privileges, from a server with *no*
>>>> protection (DEP nor ESC) in the name of convenience, with an exploit 
>>>> that
>>>> has been in the wild for *months* without getting noticed.  Tell me 
>>>> that
>>>> isn't a recipe for disaster?
>>>>
>>>> I have said it before and I'll say it again. If I want to download
>>>> something
>>>> from MS or Sun, I'll do so from a laptop and save it to a file-share so 
>>>> I
>>>> can access *just* the executable from the server.  Windows Update is 
>>>> the
>>>> obvious exception, but that is not by choice.  That is purely the
>>>> decision
>>>> of MS to make the update process web-based in XP and 2003 thus making 
>>>> it
>>>> unavoidable in those OS's.
>>>>
>>>> In short? I cannot think of *any* reason to use the browser on a 
>>>> server.
>>>> Thus I don't need Flash or Silverlight.  I only need Java if a 
>>>> 3rd-party
>>>> app
>>>> uses it for non-browser code (there are certainly a few.) And the 
>>>> browser
>>>> window only gets opened when an app does so (windows update, Sharepoint
>>>> Central Administration, etc.)  That also means, that unlike most 
>>>> people,
>>>> the
>>>> servers I'm responsible for still have ESC enabled most of the time.
>>>>
>>>> ....
>>>>
>>>> I will agree with Ace though that there are other DLLs that the OS uses
>>>> from
>>>> IE (for MMC rendering, etc) that make updating the browser itself a
>>>> worthwhile exercise.  Although I usually don't jump to the newest 
>>>> browser
>>>> until I know that some of the 3rd party apps that *also* use the IE
>>>> engine
>>>> have also been updated so rendering errors don't cause more headache 
>>>> than
>>>> they are worth.
>>>>
>>>> So, is it time to say good-bye to IE6?  It certainly won't hurt 
>>>> anything.
>>>> But is that the solution to this latest threat?  Not in the least.  We
>>>> need
>>>> to change our habits, not our browsers.
>>>>
>>>> -Cliff
>>>>
>>>>
>>>> "Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in
>>>> message
>>>> news:OqNSDjFnKHA.5464@TK2MSFTNGP02.phx.gbl...
>>>> > "Russ SBITS.Biz [SBS-MVP]" <russ@REMOVETHIS.sbits.biz> wrote in 
>>>> > message
>>>> > news:26A3CBB7-60FF-472B-B54E-0E121A22F5A4@microsoft.com...
>>>> >> I'm kind of with Cliff on this
>>>> >> From the server the only sites I visit is Microsoft Download
>>>> >> Sun Micro for Java
>>>> >> and Where the AV is Downloaded
>>>> >> (And any vendor sites like Drivers)
>>>> >>
>>>> >> I don't do any "surfing" from the clients server.
>>>> >> (That's why I have my laptop with security set to max)
>>>> >> And I tell my clients to NEVER surf from the server.
>>>> >> (Remember a server is a server not a work station.)
>>>> >>
>>>> >> Although the question is interesting...
>>>> >>
>>>> >> To me this is like asking if the toilet paper should roll from the
>>>> >> bottom
>>>> >> or top.
>>>> >> and individual thing!
>>>> >>
>>>> >> However we all know that TP must roll from the Top.. :) Duh!
>>>> >> Russ
>>>> >>
>>>> >> -- 
>>>> >> Russell Grover - SBITS.Biz [SBS-MVP]
>>>> >> Microsoft Gold Certified Partner
>>>> >> Microsoft Certified Small Business Specialist
>>>> >> 24hr SBS Remote Support - http://www.SBITS.Biz
>>>> >> Microsoft Online Services - http://www.microsoft-online-services.com
>>>> >>
>>>> >
>>>> > I don't know about that. Some others in the household will put the 
>>>> > roll
>>>> > in
>>>> > backwards, but to them it's correct. :-)
>>>> >
>>>> > But I agree, I don't use my customer servers to browse. I will use my
>>>> > own
>>>> > laptop while remoted into the server, such as when researching an
>>>> > issue,
>>>> > then finding something relevant (such as a download fix, or code to
>>>> > copy,
>>>> > etc), I'll copy/paste the URL to the RDP session to grab it.
>>>> >
>>>> > I also do update my all servers to IE8. I may be wrong, and I haven't
>>>> > researched this, but I believe there's other functionality and 
>>>> > security
>>>> > features that are introduced into the OS with installing the newer
>>>> > browsers.
>>>> >
>>>> > -- 
>>>> > Ace
>>>> >
>>>> > This posting is provided "AS-IS" with no warranties or guarantees and
>>>> > confers no rights.
>>>> >
>>>> > Please reply back to the newsgroup or forum for collaboration benefit
>>>> > among responding engineers, and to help others benefit from your
>>>> > resolution.
>>>> >
>>>> > Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, 
>>>> > MCSE
>>>> > &
>>>> > MCSA 2003/2000, MCSA Messaging 2003
>>>> > Microsoft Certified Trainer
>>>> > Microsoft MVP - Directory Services
>>>> >
>>>> > If you feel this is an urgent issue and require immediate assistance,
>>>> > please contact Microsoft PSS directly. Please check
>>>> > http://support.microsoft.com for regional support phone numbers.
>>>> >
>>>> >
>>>> >
>>>> .
>>>>
> See what SBS support is working on
> http://blogs.technet.com/sbs/default.aspx
> Check your SBS with the SBS Best Practices Analyzer
> http://blogs.technet.com/sbs/archive/tags/BPA/default.aspx 

0
Bill
1/26/2010 5:05:16 PM
Reply:

Similar Artilces:

How can I make an Excel time series chart?
My data is like this: PersonID Date TimeIn TimeOut 1 1/1/2008 03:18 05:18 2 1/1/2008 11:19 14:21 3 1/3/2008 09:27 15:29 I would like to make a chart that shows how many people were present for each hour of the day (1 to 24) Thanks MA MA, Arrange a table in the following manner: Time In Time Out 8:00 9:00 10:00 11:00 7:15 10:19 1 1 1 0 5:02 9:26 1 1 0 0 8:35 12:00 0 1 1 1 Sums 2 3 2 1 Put time marks (hours) into the head row. Put Excel functions like =If(And(C$4>$A5,C$4<$B5),1,0) by proper c...

Avoid append queries too many times a day
Hello, I created several append queries to append to add previous day data every morning. But, how can I build validation to the query so that I or anyone can't append the queries more than one time a day (which will create double the data)? Thanks Why do you need to add previous day data every morning? How is your table structured? Seem like it would be easier to simply include a date field in your table. If you don't want to do that, you could probably write some code to update a field in the originating table so that after the records were exported, the export date would...

my cd with pictures will not down load says windows is not up to
need help see subject Bobby Lou, Two issues here... 1. This is a newsgroup for Microsft Access a database software. I would suggest you contact your camera Vendor or post in the Windows newsgroup. 2. Use the big white space to post your question, not a reference to go read the Subject Line. The Subject Line is only so long and mine cuts off so anyone reading it will not get the entire issue you are having. I would also suggest you post relevant information, like Windows version and what hardware your pictures are on. -- Gina Whipp "I feel I have been deni...

Time To Retire
I have set up a retirement account in MS Money. It is the type account where the employer matches my contributions. In a few months I am actually going to retire and start receiving a monthly payment. I do not know how to enter these distributions in Money. Can anyone help? Thanks If the payments are from that account, they would be deposits to checking, entered as transfers from that account. If the payments are from a guaranteed benefit plan I suspect they would be simply categorized as retirement income. "OmahaJoe" <jshanahan@austin.rr.com> wrote in message news:1168...

Copying Multiple Links at One Time
Need someone's assistance to figure out how one can create multiple links from files on a hard drive, into a spreadsheet with each file link located in a separate cell. Problem: I'm working over in Iraq and support an Iraqi group working in a forensics area. The Iraqi team I'm working with wants to produce an Excel spreadsheet with links to specific files on their hard drive. Trouble is we have almost 110,000 files to link. Is there a way to do this without inputing each link individually? Heelinva -- heelinva --------------------------------------------------------------...

Time Calculations
I am trying to calculate "Start time" + "End Time" on a form in ACCESS 2007 example: I started @ 3:00 am on tuesday and did not finishish until 5:00 pm on saturday. How do I make a calculaution to give me a total for this? what fields should be included in the datasheet and the form? Hi Craig, Here are some articles that you may find helpful: On time and how much has elapsed http://office.microsoft.com/en-us/access/HA011102181033.aspx Using dates and times in Access http://office.microsoft.com/en-us/access/HA010546621033.aspx ACC2000: How to Calculat...

Hours Between Two Times
Is there a way to caluculate the hours between two dates and times while excluding weekends and holidys? Example: Start - 8/24/2007 12:00pm Stop - 8/27/2007 12:00pm Result = 24 hrs Thanks RN Hi RN, Assuming that your start date/time is in cell A2 and Stop date/time is in cell A3. I'll give you 2 nested formulas. One if you have the cell formatted for hrs and mins and one if you want the cell formatted as a standard number. Example 1:- Custom format the cell where you want the formula to [h] if you only want to see hours or [h]:mm if you want to see hours and minutes (The square...

Microsoft Excel for Windows
in Microsoft Excel for Windows I would like to add time eg. 09:00:00 AM plus 05:00:00 PM less ONE HOUR equals 8.0 hrs. Anyone with an example.? I believe you're looking to *subtract* time, *not* sum it. Start time in A1 - 9:00 AM End time in B1 - 5:00 PM =B1-A1 Also, you said *less* one hour, so the total is really 7 hours, not 8, right ? However, to take into account where the end time crosses midnight, where the end time is smaller then the start time, use: =(B1-A1)+(A1>B1) Now change this to a decimal number, so that you can multiply it by the pay rate to get total dollars: ...

time est to move 5GB mailbox from 5.5 to 2003
Hello: I have a user who has a mailbox size of about 5GB on Exchange 5.5 that I need to move to Exchange 2003. What do I need to be concerned about while moving this mailbox? The total free space on the server is 27.8 GB while the OVERALL total is 52.8GB. My question is do I need to worry about moving this almost 5GB mailbox over the network? Plan was to do it during down time. So is there teh risk of data loss? The max mailbox size that I have moved so far here is: 2GB Thanks for your help. Anna I don't think that should present any problems regardless even of the item count. ...

Time formula
Working with a spreadsheet (Excel 2007) that has a start time, end time and time Start Stop time 14:00 15:18 1:18 Would like to convert time to minutes and add 15 minutes to the answer. I have set up a custom format for minutes [m] but can't get the +15. Any help you can give me will be appreaciated. Try this: =MOD(B1-A1,1)+15/(60*24) -- HTH, RD ===================================================== Please keep all correspondence within the Group, so all may benefit! ===================================================== "Dottie" <Dottie@discussi...

very fine timing in movie playing (part2)
Hi, Thanks for all the replies about the timings. I think I can reach a timing of about 1 ms with Sleep(0) and reading cpu counter for fine adjustments. Now I need to synchrone my movie playing. - Is it possible to go ahead/behind about 10 ms at certain times while playing a movie, So that all of my stations get synchronized ? - Is it possible to keep a movie ready and at the desired moment start playing it with a delay less then 10 mSec ? Thanks again, Behzad "bn" <b@b.com> wrote in message news:e%23HuTZLmFHA.2656@TK2MSFTNGP14.phx.gbl... > Hi, > Thanks fo...

plot data on two axis at the same time, metric and english units
I am an engineer and am constantly ploting data in both metric and english units on the same plot. I would like a way to show multiple scales on both the y and x axis. Example: A series of data could have values of psi, bar, & kPa for the y-axis, and ft^3 & meters^3 for the x-axis all on the same chart. The chart could be a custom style and it could either prompt you for the column or row the data in other units is in, or it could prompt you for the scaling factor to multiply the x data by to get to the other units. Currently, with Excel 2003, I make an XY scatter chart with...

Strange Outlook 2003 Message Times on Terminal Server
I have w2k3 terminal sever with Outlook 2003 clients to Exchange server 5.5. I was checking daylight saving time settings. I noticed when I view mesage in my inbox via Outlook 2003 from the rdp server (who's time is correct) the message properties have all the time an hour back.. When I look at the same message from local 2k box running Outlook 2000 they are correct. The rdp server time is correct, the exchange server time is correct, the inbound smtp server times are correct. Why would I see different times on the properties of the message, since these are exchagne mailboxes ?? ...

automatic tranfer of data from worksheet to time sheets
i use excell to both keep reports and i would like to have data such as time/dates from the reports transfered to a separtate worksheet to track time spent on different projects ...

Do when a time and date has elapsed
I have a problem that is driving me nuts. In cell A1 I have a heading of Time, and in B1 I have the heading Date. Column A2:A501 is formatted in hh:mm and B2:B501 is formatted daddy - dd/mmm/yyyy. I want to use a if statement to if the date in say row 3 and the time in the same row has elapsed. I can get the > today to work by using =if(b4>today(),"yes","no") but this only gives me from midnight on the day in question, where I need it from the date and time. Thanks Michael "Michael" wrote: > I have a problem that is driving me nuts. In cell A1 ...

Outlook rules, and time
Is there any way to have outlook rules only fire during specific times? For example I can set up outlook to forward a copy of my home e-mail to my work address, but what I would like is to have outlook forward e-mail to my work address only from 9-5. Is there any way to se this up besides turning the rule on and off manually? Thanks -Phil Lawson ...

Employee Time Clock and Tracking
Does anyone have a good database used for tracking employee times throughout the day for loggin in, breaks, lunches, and loggin out...or something similar to this I could use? I would appreciate it if you could point me to something besides the one that Access suggests already to use. Thanks. If you want folks to suggest something that would meet more of your needs than "the one that Access suggests", you'll probably want to tell us what those needs are that the one Access suggests doesn't meet... Regards Jeff Boyce Microsoft Access MVP -- Disclaim...

Winsock2 connect taking long time to timeout
Hi, I have a situation whereby when I call to the Winsock2's connect() function, it takes a long time to respond back. This causes my CPictureEx animated GIF to show hanging on the screen. I'm thinking of creating a thread for the connect() function call so that it will not hang my animated GIF. Can anyone show me how to go about doing that? TIA. Rgds, Mike Hi mike , Hope the following code snippet will help you .Please do read more abt CreateThraed API in MSDN where u can get good samples of thread implementations. InitialzeThraed() // User Defined Method { DWORD d...

end user agreement poping up every time i open any Office applica
I have been using Microsoft Office 2003 for some time and this is first time I have such issue on new installation. I removed completly the 2007 trial but the pop up is showing every time I open Any Office 2003 application Is so anooying I would gladly give up using microsoft if I dod not have number of previously generated files Anybody knows how to stop it, the pop ups? J wrote: > I have been using Microsoft Office 2003 for some time and this is > first time I have such issue on new installation. > I removed completly the 2007 trial but the pop up is showing every > time I ...

Convert Text "00:00:00:00" to time format in Access 2007
I have an application that uses a stopwatch to capture time on various events. The stopwatch time is stored as a text file, which I would like to convert to a time format. The text value is "00:00:00:00" which needs to be converted to "dd:hh:nn:ss." I've tried just about every method I can find with no luck thus far. There are a number of posts on this topic and I've tried using "CDate," "DateSerial," "TimeSerial" and others, but each returns compile errors when I attempt to run a query to do the conversion. Any sug...

execute macro at certain time
I would like to have a macro execute automatically at a certain time each day. Does anyone know if this is possible? Thanks ------------------------------------------------ Message posted from http://www.ExcelTip.com/ -- View and post Excel related usenet messages directly from http://www.ExcelTip.com/forum -- Hundreds of free MS Excel tips, tricks and solutions at http://www.ExcelTip.com/ ------------------------------------------------ You gonna keep excel open? If yes, take a look at Chip Pearson's notes: http://www.cpearson.com/excel/ontime.htm You also may want to look at a sc...

External , Meeting requests ,incorrect time !!!
I have this major problem, we are running exchange 2000 on svr2000 if any user sends a meeting request externally it's an hour behind from the origanl time.The xchange is behind the firewall.All time zones are correct on all PC's & Servers.Our time zone does not require daylight saving changes.I have tried everything .Please Help!! Is the Outlook time zone correct and if you don't need Daylight Savings have you unchecked the box in Outlook and in the time zone settings of your servers? Nue "Val" <Val@discussions.microsoft.com> wrote in message news:0EFAA...

cannot change time on Exch2003 server
My Exchange server is running about 13 minutes behind the rest of ou Active Dir servers. When I attempt to modify it I get "you do not have the proper privilage lever to change the system time" and my event log show a system error from source W32time and the explaination is 'The time provider NtpClient is configured to acquire time from one or mor time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 240 minutes. NtpClient has n source of accurate time. This server is not a Dom Ctrler but the DC server set as its t...

timed updation
Hi all, i want to make an application which runs every week and download a file from web how do i make my exe run once a week just like task schduler does i can't use task schduler please help Hi You can probably use SetTimer() if your app is a MFC app, but I guess one Week is too long a period to be handled by the Application Balaji. Actually a week is, by my computations, 1000*60*60*24*7=60,480,000 milliseconds, comfortably within the range of SetTimer. However, there are many other issues here. For example, it requires the program be up and running. And that the program always ...

Adding minutes to a time
I have a spreadsheet with three columns. Column A = time Column B = ETA Column C = Arrival time 3:24 :15 3:39Pm I am having dificulty getting the answer in column C. Any help greatly appreciated. Thanks Hi! =A1+B1 Column B time has to be entered as a time - 00:15 Or, you could just enter the integer, 15 and use this formula to get the same result: =A1+B1/1440 Biff >-----Original Message----- >I have a spreadsheet with three columns. > >Column A = time Column B = ETA Column C = Arrival time >3:24 :15 ...