QBASIC and Service Pack 2

[TheBigBasicQ]

Before you do have a look at this!
http://www.extremetech.com/article2/0,15...962,00.asp

[Hard Rock]

Er, in case you misread the article, the number one exploit they mentioned is not specific to sp2.

The vulnerability affects IE 5.01, 5.5 and 6.0 versions, on all operating systems from Windows 95 on (including Windows XP SP2)

And the other one is absoulete crap. Oh wow look mom, i downloaded hackintomycomputerandtotoallyscrewitup.exe, what if i run it, do you think something cool will happen? It requires code to be exectued on your computer, and even if it does work, wtf? How will my "security center" showing some kind of updated firewall/anitvirus that i dont even own affect me? If a program can run on your computer and change the security settings then your screwed anyway, it could format the harddrive instead.

And finally, did you notice how in tiny print its been mentioned:

"those not running in administator are not affected"????

[TheBigBasicQ]

1. The user need not download the malicious script.

2. Most/All people use their computers in administrator mode so the script can easily spoof the 'Windows Security Centre'.

3. The Drag and Drop vulnerability is not the only one. There can be other vulnerabilities in the future which can allow malicious scripts to run
and spoof the WSC.

4. Unfortunately most viruses prefer to convert the infected machine to a 'zombie' machine rather than just destroy your data. They can send your keystroke, personal info or whatever!

5. Theres no tiny print. The first page mentions it quite clearly that the script needs to be run in the administrator mode.

[Hard Rock]

The only point i was making was that this isnt an sp2 vulnerablity. It affects all the other windows as well, as its an IE feature. And since you were trying to point out that by installing sp2 i might be at risk, the simple answer is not any more then any other windows user.

The Drag and Drop vulnerability is not the only one. There can be other vulnerabilities in the future which can allow malicious scripts to run
and spoof the WSC

Well considering i can just look in the bottom right corner to see if my firewall/antivirus works, i couldnt care less. Hell maybe ill modify it myself and add some funky entry.

Unfortunately most viruses prefer to convert the infected machine to a 'zombie' machine rather than just destroy your data. They can send your keystroke, personal info or whatever!

Im well aware of that, but my point was if a program can do that, then it can do anything it wants to, and modifying the WSC to me, seems silly when it can do so much more.

Theres no tiny print. The first page mentions it quite clearly that the script needs to be run in the administrator mode.

I didnt re-read the article, its not a new article, but only remember it being mentioned once, and quickly at that.


But anyway, my point was attacking sp2 for little things like a program being able to modify what the WSC says (which from what i hear has problems running as it is) is like attacking sp2 for the majority users for being stupid. Hey everybody lets blame microsoft becuase you can still call fdisk from the console :o !


I just hope the rumours arnt true about the delayed startup, not another 10 second wait!

[edit]

1. The user need not download the malicious script.

Missed this one. Ive seen the webpage that included the exploit.
But the .exe didnt execute it created a shortcut for later execution, and at worst case scenario if the exploit does allow calling executables, well i use mozilla. and it didnt work. so there


AND FINALLY the big quote

The exploit requires user interaction, such as dragging an icon to a different part of the screen.

Which leads me back to:
"Mommy, what happens if i drag the windows folder over the recycle bin?"


(again how does exploits that affect all versions of windows, not just sp2, make installing sp2 a bad idea? becuase remember you posted your link against my idea that installing sp2 was not a bad idea, i dont see anything against sp2)

[Plasma]

Anything can be exploited if you try hard enough (or the user is stupid enough).

I installed SP2 about 2 days ago and everything still works fine. (Including all my DOS programs.) In fact, I'd say SP2 is better for the "mainstream" windows users because it really pushes the firewall, and IE and OE block a lot of crap that tried to automatically run/load before (those annoying ActiveX applets, tracker images in spam, etc.)

Of course, if you know what you're doing you probably won't notice much difference, but I think SP2 will definitely help with the stupid people on broadband with no firewall who automatically click "ok" whenever they see a dialog window.

[startreksg1]

I install sp2 3 days ago and now i'am disconnecting from the
internet ever 1 to 6 hours. I call my isp and they said it is not them.
but qbasic work fine on sp2. i have a 56k it is the only kind of intenet around here in (US,MS)