Where is the IE zero day exploit in the news...
Imhotep
in the news (popular news sites like cnn, yahoo, bbc, etc)???
Imhotep
Imhotep
...still waiting for popular news sites to carry the article. Could it be
that MS is putting on the pressure not to carry the article, in popular
news sites, UNTIL there is a fix? Could it be that they are trying to
prevent more IE to Firefox converts? Say it ain't so....say it ain't so....
Imhotep
Shenan Stanley
> Has anyone notice that there is not a single meantion of the
> latest IE vuln in the news (popular news sites like cnn, yahoo,
> bbc, etc)???
Imhotep wrote:
> ...still waiting for popular news sites to carry the article. Could
> it be that MS is putting on the pressure not to carry the article,
> in popular news sites, UNTIL there is a fix? Could it be that they
> are trying to prevent more IE to Firefox converts? Say it ain't
> so....say it ain't so....
...
--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
karl levinson, mvp
"Imhotep" <imh...@nospam.com> wrote in message
news:WdqdnaASvKU...@adelphia.com...
>> Has anyone notice that there is not a single meantion of the latest IE
>> vuln in the news (popular news sites like cnn, yahoo, bbc, etc)???
> ...still waiting for popular news sites to carry the article. Could it be
> that MS is putting on the pressure not to carry the article, in popular
> news sites, UNTIL there is a fix? Could it be that they are trying to
> prevent more IE to Firefox converts? Say it ain't so....say it ain't
> so....
This vulnerability affects Firefox as well. So it's not really an "IE
vuln."
http://xforce.iss.net/xforce/xfdb/20783
Imhotep
Nice try but it does not allow remote code execution from some web site
somewhere....
With IE you can visit a web site and lose control of your PC...
Enough said.
Oh and MS has known about this for how long? Since May? Granted it was
listed as a DOS but still, it has been how many months?
Imhotep
Unruh
>http://xforce.iss.net/xforce/xfdb/20783
From that page
"It is reported that this vulnerability could be exploited to cause a
denial of service on Firefox and Opera Web browsers, but remote code
execution is not possible."
I would say that remote code execution is far worse than crashing the
browser.
Imhotep
...thanks. That is exactly what I have been trying to say...
Im
Karl Levinson, mvp
> >>This vulnerability affects Firefox as well. So it's not really an "IE
> >>vuln."
> >
> >>http://xforce.iss.net/xforce/xfdb/20783
> >
> > From that page
> > "It is reported that this vulnerability could be exploited to cause a
> > denial of service on Firefox and Opera Web browsers, but remote code
> > execution is not possible."
> >
> > I would say that remote code execution is far worse than crashing the
> > browser.
>
> ...thanks. That is exactly what I have been trying to say...
No, what you've been trying to say is that Microsoft was severely in error
and should not have rated this as "low" when it was "only a denial of
service." But that's the opposite of what the two of you are saying now
when considering the exact same vulnerability affecting Firefox, that it's
OK to minimize the Firefox vuln as being "just a denial of service." There
are two different viewpoints being expressed here that are inconsistent with
each other. If the Firefox vuln is "only a denial of service," then the IE
vuln has only been a known remote code execution vuln for a week or so, not
six months.
Microsoft is being faulted here for not notifying customers [although it
has]. I couldn't find anything on the Firefox web site about this. Not
only haven't they patched this, they haven't notified customers like
Microsoft has. Presumably they're still testing and reproducing the
vulnerability. Which goes back to what I was saying about not assuming that
Microsoft can necessarily always repro a vuln overnight when a finder
refuses to give them all the details.
Unruh
>"Imhotep" <imh...@nospam.com> wrote in message
>news:l4SdndJ7tuWc0hfe...@adelphia.com...
>> >>This vulnerability affects Firefox as well. So it's not really an "IE
>> >>vuln."
>> >
>> >>http://xforce.iss.net/xforce/xfdb/20783
>> >
>> > From that page
>> > "It is reported that this vulnerability could be exploited to cause a
>> > denial of service on Firefox and Opera Web browsers, but remote code
>> > execution is not possible."
>> >
>> > I would say that remote code execution is far worse than crashing the
>> > browser.
>>
>> ...thanks. That is exactly what I have been trying to say...
>No, what you've been trying to say is that Microsoft was severely in error
>and should not have rated this as "low" when it was "only a denial of
>service." But that's the opposite of what the two of you are saying now
>when considering the exact same vulnerability affecting Firefox, that it's
>OK to minimize the Firefox vuln as being "just a denial of service." There
I never said anything like that. I said that remote code execution is much
worse than denial of service and I still stand by that.
>are two different viewpoints being expressed here that are inconsistent with
>each other. If the Firefox vuln is "only a denial of service," then the IE
>vuln has only been a known remote code execution vuln for a week or so, not
>six months.
And I said "only denial of service" where?
>Microsoft is being faulted here for not notifying customers [although it
>has]. I couldn't find anything on the Firefox web site about this. Not
>only haven't they patched this, they haven't notified customers like
>Microsoft has. Presumably they're still testing and reproducing the
>vulnerability. Which goes back to what I was saying about not assuming that
>Microsoft can necessarily always repro a vuln overnight when a finder
>refuses to give them all the details.
6 months sounds a bit extreme however. You must live at the north pole or
south pole, for that to be overnight.
karl levinson, mvp
"Unruh" <unruh...@physics.ubc.ca> wrote in message
news:dmflb8$2fa$1...@nntp.itservices.ubc.ca...
> I never said anything like that. I said that remote code execution is much
> worse than denial of service and I still stand by that.
That's not in dispute.
>>are two different viewpoints being expressed here that are inconsistent
>>with
>>each other. If the Firefox vuln is "only a denial of service," then the
>>IE
>>vuln has only been a known remote code execution vuln for a week or so,
>>not
>>six months.
>
> And I said "only denial of service" where?
Check the message headers. I wasn't responding to you.
>>Microsoft is being faulted here for not notifying customers [although it
>>has]. I couldn't find anything on the Firefox web site about this. Not
>>only haven't they patched this, they haven't notified customers like
>>Microsoft has. Presumably they're still testing and reproducing the
>>vulnerability. Which goes back to what I was saying about not assuming
>>that
>>Microsoft can necessarily always repro a vuln overnight when a finder
>>refuses to give them all the details.
>
> 6 months sounds a bit extreme however. You must live at the north pole or
> south pole, for that to be overnight.
Or, perhaps they rated it as low priority because it was "only a denial of
service."
Imhotep
The bug finder did not notify Firefox. He/She notified
Microsoft....Microsoft then sat on it's hands for 6 or so months not fixing
the bug and now allowing people to get cracked.
Imhotep
Imhotep
Again, low are not it HAS BEEN 6 months. Second, Microsoft obviously dropped
the ball in evaluating the security hole....for 6 months...which is the
point of this thread.
Imhotep
Karl Levinson, mvp
> The bug finder did not notify Firefox. He/She notified
> Microsoft....
Where did you read that? I have found nothing to show Microsoft was
notified of this.
> Microsoft then sat on it's hands for 6 or so months not fixing
> the bug and now allowing people to get cracked.
You don't know and are only guessing what Microsoft did or didn't do with
this. As you stated, remote code execution vulns are worse than browser
crash vulns. So, by that statement, Microsoft was correct to prioritize
working on fixing other remote code execution vulns first.
Karl Levinson, mvp
> > Or, perhaps they rated it as low priority because it was "only a denial
of
> > service."
>
> Again, low are not it HAS BEEN 6 months. Second, Microsoft obviously
dropped
> the ball in evaluating the security hole....for 6 months...which is the
> point of this thread.
No, like you, Microsoft prioritized it lower than other vulns, because like
you, they consider remote code execution vulns to be worse than browser
crash vulns.
Unruh
You mean Microsoft had so many "remote code execution" vulnerabilities that
they could not get to serious but lesser things in 6 months? They claim to
be able to rewrite a whole operating system in only a few times that
timeframe. If your scenario is correct then MS is far worse than its worst
critics claim it is.
Alun Jones
>You mean Microsoft had so many "remote code execution" vulnerabilities that
>they could not get to serious but lesser things in 6 months? They claim to
>be able to rewrite a whole operating system in only a few times that
>timeframe. If your scenario is correct then MS is far worse than its worst
>critics claim it is.
Or, to put it a different way, Microsoft could have added another patch that
likely requires you to reboot your operating system for a low-level
denial-of-service issue that wasn't being exploited, and because it was a
low-level DoS, wasn't likely to be exploited.
Yeah, that would be just wonderful, wouldn't it? "Microsoft made me reboot my
machine - again - for /nothing/?"
You can't just release patches and assume that everyone will be happy.
You have to test the patches (and remember, not everyone installs every patch,
so you have to test a number of different variations of installations), and
then you have to decide "is the damage to our users' systems going to be
greater if we release the patch than if we wait for the next service pack or
other patch to this portion?"
For IE, the chances would be high that some other patch would need to go out,
so why force an update (and a reboot) for a minor issue, knowing that it would
likely not be attacked before the next time you got to issue a patch?
You are talking in such black and white terms, it's as if you miss the
whole complexity of the issue.
Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | al...@wftpd.com.
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
Karl Levinson, mvp
"Alun Jones" <al...@texis.invalid> wrote in message
news:iJidnST8nq6...@comcast.com...
> For IE, the chances would be high that some other patch would need to go
out,
> so why force an update (and a reboot) for a minor issue, knowing that it
would
> likely not be attacked before the next time you got to issue a patch?
Not to mention that there are and always will be plenty of ways to DoS any
browser. Just put it into a never ending loop, for example. No big deal,
really, just shut down your browser and re-start it and the problem goes
away, unless the user is stupid enough to go back to the site that DoSsed
them in the first place. That's why you never ever see someone trying to
execute a browser DoS.
Imhotep
>
> "Imhotep" <imh...@nospam.com> wrote in message
> news:KamdnUm_mJF...@adelphia.com...
>
>> The bug finder did not notify Firefox. He/She notified
>> Microsoft....
>
> Where did you read that? I have found nothing to show Microsoft was
> notified of this.
Microsoft was notified, what 8 months ago? After reviewing it, they
mistakenly "evaluated" it as low...
>> Microsoft then sat on it's hands for 6 or so months not fixing
>> the bug and now allowing people to get cracked.
>
> You don't know and are only guessing what Microsoft did or didn't do with
> this. As you stated, remote code execution vulns are worse than browser
> crash vulns. So, by that statement, Microsoft was correct to prioritize
> working on fixing other remote code execution vulns first.
Please, spare me. What I said was given the choice of a browser blowing up
or allowing ANY web site to run ANY binary on my PC, I would wisely choose
my browser blowing up. Now, face it, once and for all, your mighty
Microsoft, yet again, screwed thier customers by not putting any "research"
into evaluating this serious security hole. You can fight this fact, and
try to twist words around but, all you do is prove to me that I am right in
saying "Yet again MS users are better off looking at another
platform"...squirm all you want but you are on the "hook"...
Imhotep
Imhotep
...I also believe that such a popular application, as as IE, should not go
unpatched for what 8 months now? No matter what what level of security hole
it is/was evaluated to. Unlike you, I do not make such foolish excuses...
Imhotep
Imhotep
Ah you also forgot totally redoing the XBox...I guess that was were their
attention was....
But, hey, I heard that the XBox was "blue screening" too!!!!!! Somethings
never change, like Microsoft "quality".
Imhotep
Imhotep
...So what you are saying is that Microsoft can not get patches (or asses
security holes) right either? OK, I agree with that....
Oh, there was the 051 patch fiasco...just recently...but hey did you buy the
new XBox? I heard it has a new "blue Screen" feature! :-)
Imhotep
karl levinson, mvp
> ...I also believe that such a popular application, as as IE, should not go
> unpatched for what 8 months now? No matter what what level of security
> hole
> it is/was evaluated to. Unlike you, I do not make such foolish excuses...
I don't particularly want patches to be released for IE denial of services.
I'd rather keep the vuln, as it is low risk. I'd rather Microsoft put their
time towards more significant security issues. You can't assume that a
patch six months ago for the DoS would have fixed this issue as well, even
if they are related or the same. Many Microsoft, Oracle and other patches
have fixed one particular vector of attacking a vuln, but another vector is
found that shows the machine still has that vulnerability.
Where are the Firefox and Opera patches?
We know that because of Microsoft's architecture and beta testing, it takes
a minimum of 45 days for any Microsoft patch to be released. This is
necessary because many third party programs rely on IE / MSHTML rendering,
while few rely on Firefox / Mozilla for rendering. A Firefox patch isn't
going to break anything but Firefox, so they can put it out as fast as they
want. Things are also worse when things break for paying customers who can
flood your support lines for support. Firefox has no paying customers.
You keep talking about Xbox taking away security resources. The people and
departments at Microsoft who do security response and patches are totally
different, there is no sharing of resources. I personally wouldn't have
chosen to design a gaming console or an ATM on a Windows-based OS myself,
and I don't own or care about xbox.
karl levinson, mvp
> Microsoft was notified, what 8 months ago?
Microsoft was not notified. It was posted to the Internet.
> After reviewing it, they mistakenly "evaluated" it as low...
You have nothing to back this up. You evaluated it as low yourself, when
the same vuln was found in Firefox.
> into evaluating this serious security hole. You can fight this fact, and
> try to twist words around but, all you do is prove to me that I am right
> in
> saying "Yet again MS users are better off looking at another
> platform"...
This whole Microsoft vs. open source argument is boring. Use whatever OS
and browser you want, but leave me out of your purchasing decision. This is
a tech support forum, this is nothing but a waste of our time.
> my browser blowing up. Now, face it, once and for all, your mighty
> Microsoft, yet again, screwed thier customers by not putting any
> "research"
> squirm all you want but you are on the "hook"...
"My mighty Microsoft?" Me on the hook? I'm not Microsoft, and I'm not a
Microsoft pawn. I use and encourage others to use non-Microsoft products.
There are lots of things I don't like about Microsoft and things I've said
against Microsoft over the years. It hurts me not at all when you insult
Microsoft or decline to buy their products. Just when you insult Microsoft,
make sure it's for valid reasons. I've got plenty of them myself.
Alun Jones
>Please, spare me. What I said was given the choice of a browser blowing up
>or allowing ANY web site to run ANY binary on my PC, I would wisely choose
>my browser blowing up. Now, face it, once and for all, your mighty
>Microsoft, yet again, screwed thier customers by not putting any "research"
>into evaluating this serious security hole. You can fight this fact, and
>try to twist words around but, all you do is prove to me that I am right in
>saying "Yet again MS users are better off looking at another
>platform"...squirm all you want but you are on the "hook"...
Your argument about Microsoft "not researching" this security issue is
specious. There's an old adage in development that "you can't test bugs out
of a product" - this doesn't just mean that a developer has to fix the
product, it also means that test can only find bugs, it can't prove that all
the bugs have been found.
The same is true of research into a security bug. You can find a way to
exploit a security bug, but no matter how much research you throw into it, you
can't, in general, say "there is no way to exploit this security bug".
A while back, the accepted opinion was that heap memory was impossible to
exploit. Nowadays, it's clear that this is no longer true. Similarly, it may
have taken a leap of logic to find out exactly how to exploit what appeared to
its researchers to be merely a DoS.
Don't forget that Microsoft wasn't alone in researching this issue - the
original discoverer was also researching it, and categorised it as a DoS only,
as well. Only recently has it become clear that it is exploitable. As a
result, with all the research suggesting that the bug was a DoS, it was
handled correctly as a DoS.
What I'd like to ask is, if it's so easy to make this into an exploit, why
_you_ weren't pointing this obvious fact out to Microsoft six months ago? You
make it abundantly clear above that you are superior to Microsoft's own
security staff, yet even you were unaware that this exploit existed. Why is
that?
Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
Alun Jones
>"My mighty Microsoft?" Me on the hook? I'm not Microsoft, and I'm not a
>Microsoft pawn. I use and encourage others to use non-Microsoft products.
>There are lots of things I don't like about Microsoft and things I've said
>against Microsoft over the years. It hurts me not at all when you insult
>Microsoft or decline to buy their products. Just when you insult Microsoft,
>make sure it's for valid reasons. I've got plenty of them myself.
To back up what Karl says, my rationale for most of my postings here is as
follows:
Those of you screaming about fantasised bugs or incorrectly perceived
stupidity on Microsoft's part are making it difficult for us to get heard when
we complain about real bugs and real stupidity. You also make it real easy
for Microsoft to address those fantasies with spin rather than the realities
that require actual code.
Alun Jones
>Ah you also forgot totally redoing the XBox...I guess that was were their
>attention was....
Enough with the XBox conspiracy theories already. Microsoft is not a single
entity, with only one developer, one tester and one one salesperson - the XBox
division is a different division from anything that you're talking about. The
only way you might claim that patching IE gets delayed to ship the XBox is if
you could show that the IE development team quit to go and work on the XBox.
Without that information, you sound like a loony.
>But, hey, I heard that the XBox was "blue screening" too!!!!!! Somethings
>never change, like Microsoft "quality".
Do you know any software that didn't have bugs creep past testing?
Bugs are a hazard of the profession - what marks one company above another is
not the number of bugs discovered, but what they do to prevent future bugs,
especially future occurrences of the same bug.
Alun Jones
<imh...@nospam.com> wrote:
>....So what you are saying is that Microsoft can not get patches (or asses
>security holes) right either? OK, I agree with that....
What I am saying is that noone assessed this security hole "right", for its
first six months of existence; and that patches take time and require testing,
that they often require a reboot, and that users get irritated with repeatedly
having to reboot machines for updates that fix minor problems.
>Oh, there was the 051 patch fiasco...just recently...but hey did you buy the
>new XBox? I heard it has a new "blue Screen" feature! :-)
Why are you obsessed with the XBox? Put it on your list in your letter to
Santa, and wait. There isn't a prize for posting the most articles
referencing it unnecessarily.
Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
fluidly unsure
But many users will panic when the browser stops functioning. They seem
to be afraid the computer might explode if the hit the close button too
hard. Isn't that a social engineering Dos?
What about all the companies selling with a big FUD FACTOR. Like
"Evidence Eliminator"'s attempt to scare people into buying their
product because hackers can see their harddisk from the Internet!
--
Liquid
Todd H.
> not a Microsoft pawn. I use and encourage others to use
> non-Microsoft products. There are lots of things I don't like about
> Microsoft and things I've said against Microsoft over the years. It
> hurts me not at all when you insult Microsoft or decline to buy
> their products. Just when you insult Microsoft, make sure it's for
> valid reasons. I've got plenty of them myself.
Well said.
See, the problem here is the Imhotep talks like someone who has never
produced anything of complexity, had to support it, or had to support
any sizable numbers of end customers of a complex system in all of his
life.
Otherwise, he'd realize that his beef over this issue is completely
unreasonable. I mean, if you're going to pick on Microsoft (and God,
who in the security community doesn't?), the menu of "things to have a
legitimate gripe about" is so large, you have to be an idiot to waste
so much effort trying to order something that's not on that menu.
Imhotep appears to be That Guy, though.
Truth is, this exact same scenario could happen to Mozilla or Opera,
or any other software vendor tomorrow if anyone came up with a remote
exploit that was related to any prior unfixed, low-threat DOS
condition in their products.
Best Regards,
--
Todd H.
http://www.toddh.net/
Charlie Tame
"Todd H." <comp...@toddh.net> wrote in message
news:84oe3y6...@ripco.com...
Exactly so Todd, which is why I tried to point out earlier that such
exaggeration of relatively trivial issues actually reflects badly upon the
skills and motives of the originator.
Personally I think one of the biggest problems MS have has been their need
to keep some kind of backward compatibility whilst at the same time
requiring "Ease of use" as one of the main features. It's led (IMHO) to some
complex and probably indecent relationships between windows components but
hasn't really achieved the goal of common code and module re-usability it
should have.
I think this is one development advantage Linux had from it's conception. If
there are rules for using a module you are forced to write your part in
accordance with those rules, else it is your part that won't work - you
cannot approach the author of the module you wish to use and or alter it
yourself with what may be a "Bad" idea without it being reviewed
extensively.
I mean I fully understand MS trying to build IE into the system but see no
real commercial advantage in trying to force people to use what is
essentially a free giveaway product. There are quite a few instances where
IE gets broken and lots of other things are affected, while FireFox keep on
working. Aside from windows update there's nothing much that can only be
done with IE... and for windows update I don't see why they need to pursue
ActiveX as they have done. I'd have thought a separate utility for updates a
viable option.
I think it's better to approach these things with a view to trying to
improve the product rather than having an obvious "Bashing" agenda. I don't
particularly feel I should bash "Linux" or the "Linux Community", or any
other OS for that matter - but I do feel that many millions of computer
users don't really want an in depth learning experience, they want to buy a
computer and simply "Use" it. I believe I see evidence of this in the trend
toward more GUI stuff - which in turn brings the same kinds of problems that
Windows has.
Charlie
Imhotep
>
> "Imhotep" <imh...@nospam.com> wrote in message
> news:7-2dnaunouYEeRLe...@adelphia.com...
>
>> Microsoft was notified, what 8 months ago?
>
> Microsoft was not notified. It was posted to the Internet.
Microsoft knew about this security hole 8 months ago. Now, the code to take
advantage of the security hole for remote code execution WAS posted a month
ago that works on the SAME security vulnerability.
Stop twisting words and playing games.......
>> After reviewing it, they mistakenly "evaluated" it as low...
>
> You have nothing to back this up. You evaluated it as low yourself, when
> the same vuln was found in Firefox.
Nothing to back this up? Hummm...Microsoft had it listed as a DOS and
evaluated it as a LOW risk. True or false? Second, the vulnerably in
Firefox is just a DOS. Since the code is freely available to review (which
it was) the code was reviewed and it was written that the remote code
exploitation is IE ONLY! Maybe if IE was Open Source people could have
identified the remote code vulnerability in IE instead of getting screwed
by Microsoft again, and again, and again.
>> into evaluating this serious security hole. You can fight this fact, and
>> try to twist words around but, all you do is prove to me that I am right
>> in
>> saying "Yet again MS users are better off looking at another
>> platform"...
>
> This whole Microsoft vs. open source argument is boring. Use whatever OS
> and browser you want, but leave me out of your purchasing decision. This
> is a tech support forum, this is nothing but a waste of our time.
Well, it would be nice if you could look at this in a logical way instead of
being a Microsoft advocate. Second, I originally posted the question of why
this was not being posted on the non techie popular web sites. I am still
waiting for your answer.....
>> my browser blowing up. Now, face it, once and for all, your mighty
>> Microsoft, yet again, screwed thier customers by not putting any
>> "research"
>
>> squirm all you want but you are on the "hook"...
>
> "My mighty Microsoft?" Me on the hook? I'm not Microsoft, and I'm not a
> Microsoft pawn. I use and encourage others to use non-Microsoft products.
> There are lots of things I don't like about Microsoft and things I've said
> against Microsoft over the years. It hurts me not at all when you insult
> Microsoft or decline to buy their products. Just when you insult
> Microsoft,
> make sure it's for valid reasons. I've got plenty of them myself.
OK. However, please be a little more neutral. I used to use Microsoft
products also. However, like most people I got tired of the endless lies
and bullshit whitepapers.....
Imhotep
Imhotep
> "karl levinson, mvp" <levin...@despammed.com> writes:
>> "My mighty Microsoft?" Me on the hook? I'm not Microsoft, and I'm
>> not a Microsoft pawn. I use and encourage others to use
>> non-Microsoft products. There are lots of things I don't like about
>> Microsoft and things I've said against Microsoft over the years. It
>> hurts me not at all when you insult Microsoft or decline to buy
>> their products. Just when you insult Microsoft, make sure it's for
>> valid reasons. I've got plenty of them myself.
>
> Well said.
>
> See, the problem here is the Imhotep talks like someone who has never
> produced anything of complexity, had to support it, or had to support
> any sizable numbers of end customers of a complex system in all of his
> life.
...and you talk like someone who talks out of his ass. You seem to be the
type that reads and believes every whitepaper you come across but when
asked a serious technical question run to your friendly contractor. Spare
me your foolish gibberish. You have no idea who I am or what I do for a
living. Meatball.
> Otherwise, he'd realize that his beef over this issue is completely
> unreasonable. I mean, if you're going to pick on Microsoft (and God,
> who in the security community doesn't?), the menu of "things to have a
> legitimate gripe about" is so large, you have to be an idiot to waste
> so much effort trying to order something that's not on that menu.
> Imhotep appears to be That Guy, though.
I have asked why this news (I have not looked in about three days) was not
in the non techie popular news sites. Why? Because it usually are the home
users getting screwed more than anyone else. This is a legitmate gripe, as
again, these are the people getting screwed. I would think that someone as,
ahem, intelligent as you could comprehend that.
> Truth is, this exact same scenario could happen to Mozilla or Opera,
> or any other software vendor tomorrow if anyone came up with a remote
> exploit that was related to any prior unfixed, low-threat DOS
> condition in their products.
Did you even read any of the prior threads? That "gripe" as you put it was
about how Microsoft with all of it's money dropped that ball on a very
critical security hole and as such put millions of pc users in bad
position. It was not about how a security hole could come into being on
other software (da!).
Imhotep
> Best Regards,
Imhotep
Hummmm...Let's look at some numbers.
1) IE => 85% marketshare of all PCs
2) IE Remote Execution code that STILL is unpatched
Still don't see this as "...trivial issue..."
Enough said.
Imhotep
Imhotep
> In article <e9BzZT09...@tk2msftngp13.phx.gbl>, "karl levinson, mvp"
> <levin...@despammed.com> wrote:
>>"My mighty Microsoft?" Me on the hook? I'm not Microsoft, and I'm not a
>>Microsoft pawn. I use and encourage others to use non-Microsoft products.
>>There are lots of things I don't like about Microsoft and things I've said
>>against Microsoft over the years. It hurts me not at all when you insult
>>Microsoft or decline to buy their products. Just when you insult
>>Microsoft,
>>make sure it's for valid reasons. I've got plenty of them myself.
>
> To back up what Karl says, my rationale for most of my postings here is as
> follows:
>
> Those of you screaming about fantasised bugs or incorrectly perceived
> stupidity on Microsoft's part are making it difficult for us to get heard
> when
> we complain about real bugs and real stupidity. You also make it real
> easy for Microsoft to address those fantasies with spin rather than the
> realities that require actual code.
Are you saying the IE's Remote Code is not a "real bug". Are you really
saying that? Are you saying that I am just "bitching" because I feel that
they could have handled this a hell-of-a-lot better than they did? Are you
really saying that?
Imhotep
fluidly unsure
What about the recent outbreak of rootkit and rootkit-like malware? I
read a paper on how to handle that potential threat from MS that was
written last year. They were on ball on that one. They were prepared for
the problem almost a year before SysInternals was.
They've learned from past mistakes. SP2 is fixing many of the problems
they used to deny and they are embracing third-party audits. Remember
when they were so upset with eEye for finding vulnerabilities in their
software? Now they are thanking them for their work.
While they've made some incredibly stupid decisions, they've also made
some good ones. Let's give credit where credit is due.
>
> Imhotep
>
>
>>Best Regards,
>
>
--
Liquid
Todd H.
> You have no idea who I am or what I do for a living. Meatball.
So enlighten us,...umm eggroll.
Mmmmm. Eggrolls.
Or, actually, don't bother because your thought process on this issue
and others speaks a lot louder than your resume would.
> I have asked why this news (I have not looked in about three days) was not
> in the non techie popular news sites. Why? Because it usually are the home
> users getting screwed more than anyone else. This is a legitmate gripe, as
> again, these are the people getting screwed. I would think that someone as,
> ahem, intelligent as you could comprehend that.
It has hit the popular media but no more than any other security issue
would. That it's very serious in widely deployed software, yet the
media isn't hooting and hollering is indeed curious, and lamentable.
That is actually a useful and interesting insight.
But that's not the argument that makes folks think you're off the deep
end on the Microsoft bashing as a result. Let's be clear what we're
arguing about, butter wings.
> > Truth is, this exact same scenario could happen to Mozilla or Opera,
> > or any other software vendor tomorrow if anyone came up with a remote
> > exploit that was related to any prior unfixed, low-threat DOS
> > condition in their products.
>
> Did you even read any of the prior threads? That "gripe" as you put
> it was about how Microsoft with all of it's money dropped that ball
> on a very critical security hole and as such put millions of pc
> users in bad position. It was not about how a security hole could
> come into being on other software (da!).
It's not about money. It's not about resources. Every business is
about managing risk with finite resources. Yes, even MIcrosoft has
finite resources. If it had infinite resources, it wouldn't be
profitable, and would've gone under long ago.
You contend that it's a hanging crime that Microsoft didn't fix a
denial of service vulnerability for 8 months. I, and a lot of others,
evidently disagree with that, and say yours is an unreasonable gripe
because the vulnerability as originally discovered was not that big a
deal.
Yes, NOW it really is a big friggin deal and people should be
concerned. And, with respect to Microsoft's response, reasonable
folks will start the "hangin crime" timer on Microsoft's response to
the issue from the moment the remote code execution exploit of this
vulnerability was released. Not from when the "harmless denial of
service" release date.
Alun Jones
>Personally I think one of the biggest problems MS have has been their need
>to keep some kind of backward compatibility whilst at the same time
>requiring "Ease of use" as one of the main features. It's led (IMHO) to some
>complex and probably indecent relationships between windows components but
>hasn't really achieved the goal of common code and module re-usability it
>should have.
This point is worth expanding.
Let's assume Microsoft could prevent all unsecure code from running...
tomorrow.
If they did so, pretty much every application out there would stop running. I
mean, look at the uproar in the press over XP Service Pack 2, where there was
a suggestion that a full 10% of all applications would "be broken by" XP SP2.
The answer, of course, is that those applications were already broken before
XP SP2 came along, but that XP SP2 stopped being "Mr Nice Guy" to them, and
allowing them to operate in such a broken way.
Did this make the 3rd party vendors sit up and listen? Like hell it did. No,
they bitched and moaned about the heavy-handed action Microsoft was taking -
even though they were essentially arguing against security.
Did it make users sit up and listen? Again, hell no. I still meet users who
complain that they aren't going to install XP SP2 because it breaks one or
more of their applications. That means that they would rather run unsecure
software.
Microsoft Windows is shackled by its history, whereas other operating systems
work without such shackles (though the Linux/Unix crowd have their own
shackles to deal with, largely the concept of "it's a system call, it'll never
fail" that seems endemic to the *n*x development world). If Microsoft fixed
every bug tomorrow, statistically speaking, nobody would update to the new
software, because they have applications that need to run today.
And statistically speaking, noone is pressuring the vendors to change their
development tactics. Intuit is "proud" to release yet another version of
Quickbooks that requires you run as an Administrator (or Power User, which is
essentially the same thing). [Sorry, Intuit, but let's face it, you've been
told about this one time and time again, and you don't seem to give a damn.]
Intuit is far from being the only one. Why do you have to be an administrator
to play "Mary Kate & Ashley's Dance Party of the Century"? How many admins do
you know that are fans of the Olsen twins, except in a pervy way? "Rainbow
Six", "Scrabble 2", "Photosuite 4.0", etc, etc ( see
http://www.threatcode.com, or http://support.microsoft.com/?id=307091 for
more) - and yes, some of those listed are Microsoft titles.
[Some of this mess could have bene avoided if the "administrator" privileges
were renamed "janitorial" privileges. That's really what they are.]
Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
Alun Jones
wrote:
>Are you saying the IE's Remote Code is not a "real bug". Are you really
>saying that? Are you saying that I am just "bitching" because I feel that
>they could have handled this a hell-of-a-lot better than they did? Are you
>really saying that?
Did I say that?
No.
Then I am not really saying that.
Thank you for playing.
Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
karl levinson, mvp
> Hummmm...Let's look at some numbers.
>
> 1) IE => 85% marketshare of all PCs
>
> 2) IE Remote Execution code that STILL is unpatched
>
> Still don't see this as "...trivial issue..."
>
> Enough said.
No one is saying that the vuln is trivial. They're talking about the issue
of this not being widely reported in the mainstream media.
Even this vuln, despite being rated critical, is very unlikely to infect you
or other home users. Browser vulns rarely compromise that many computers.
One of the most famous ones so far was Download.Ject / ADODB.Stream, and
that really did not compromise very many people. So you have some bugs that
cause too much media sensation, and others that don't cause enough. The
media is fickle and are not security experts. It's not a Microsoft / media
conspiracy.
Microsoft patches take usually a few hours to a day to code and at least 45
days to test and release. That's just the way it works. The world
[including you] has asked that MS patches be made more reliable, so the
world is going to have to wait.
Imhotep
I do not see warning people about a seriously critical security hole as
being trivial. Tell that to the people that lose their credit card info (or
whatever)....I am sure they would love to hear you explaination about how
"trivial" it is...
However, it is strange that Firefox gets press for a trivial IDN security
issue and IE gets none for a browser remote code execution security issue.
Don't you think that is a little strange?
It has been how long now 2 weeks and not a peep on any of the popular web
sites....Yet the media loves to sensationalize things...still not a peep...
Sorry but I think their is a little political (marketing) pressure here....
Imhotep
Imhotep
I think the point here is that home users (who usually are the people that
get crewed more often than not) deserve to be warned that using IE right
now is very risky. Frankly MS OWES it to the home users...For example, they
could easily post the news on their site...or popup a window when a
windowsupdate is kicked off. But then again, they really do not care much.
Imhotep
Imhotep
...that was yet another "feature" of IE patched some time ago...
Imhotep
karl levinson, mvp
>> But many users will panic when the browser stops functioning. They seem
>> to be afraid the computer might explode if the hit the close button too
>> hard. Isn't that a social engineering Dos?
>>
>> What about all the companies selling with a big FUD FACTOR. Like
>> "Evidence Eliminator"'s attempt to scare people into buying their
>> product because hackers can see their harddisk from the Internet!
>>
> ...that was yet another "feature" of IE patched some time ago...
I assume everyone is joking here. Neither of those have anything to do with
IE and would happen with any browser or OS. Blaming Microsoft for social
engineering attacks against the user is just silly.
karl levinson, mvp
> I think the point here is that home users (who usually are the people that
> get crewed more often than not) deserve to be warned that using IE right
> now is very risky. Frankly MS OWES it to the home users...For example,
> they
> could easily post the news on their site...or popup a window when a
> windowsupdate is kicked off. But then again, they really do not care much.
I disagree. Warning home users about a bug that is unlikely to hit them and
for which there is no patch, when there are bigger things for home users to
worry about, won't do anything but cause panic and FUD. I write and send
security alerts to a large audience at work and haven't written anything
about this. www.us-cert.gov hasn't put this as an alert on their home page.
I'd be really surprised if a DoD IAVA had been issued on this. The various
other security companies that make their living on recycling security alerts
to techies haven't been raising the alarm, and these are companies that are
not always friendly to Microsoft or vulnerable to bribes. Face it, no one
in or out of the security industry is rating this as being critical enough
to warn home users.
karl levinson, mvp
> I do not see warning people about a seriously critical security hole as
> being trivial. Tell that to the people that lose their credit card info
> (or
> whatever)....I am sure they would love to hear you explaination about how
> "trivial" it is...
When you find someone who has lost their credit card information due to this
vulnerability, I'll apologize to them. Most people who lose their credit
card info click on a link in a phishing email and type it out manually into
the site, or have their information stolen from a credit processing server.
Regardless of what browser is used.
> However, it is strange that Firefox gets press for a trivial IDN security
> issue and IE gets none for a browser remote code execution security issue.
> Don't you think that is a little strange?
No. The media gets things wrong all the time. They miss important news and
trump up unimportant news. They make mistakes and are sometimes stupid.
It's not always fair.
Absolutely Firefox may have gotten unfairly dinged on the IDN issue. They
probably should get a little more of a ding than they've gotten on this "IE"
issue for also being vulnerable.
Winged
> Sorry but I think their is a little political (marketing) pressure here....
>
> Imhotep
I have noted several publication authors who have ranted that Firefox
was no safer than the other browsers and their bug report record was
worse than IE. When you review the record however very few of the
firefox bugs allowed remote system access and their criticals were
patched relatively speaking very quickly. I have noted these authors to
remember never to listen too closely to their writings in the future.
My problem is my personal exp. I have not been able to identify any
compromises in Firefox, that was due to Firefox (I have been aware of
Adobe, quicktime and Macromedia plug in exploitations for some time).
While the compromises I observed were minor in nature (cookie planted
where none were allowed) I quit using external plug-ins. I still Java
on occasion, but only on sites which require it due to the site
construction and where I specifically want to allow activity, then
turned off in normal mode of operations. I did build my own firefox
Java Button that allows me to turn (on/off)Java functionality on off
quickly (just cuz I am really paranoid).
But the press seems to jump much harder on Firefox issues than Microsoft
receives even for long standing IE issues. But for me it is much like
the man who goes to the Dr. and says it hurts when I do that and Dr says
don't do that. Firefox prevents my ouch, so, shrugs, I may get
compromised with Firefox ..someday..but for now they have my browser.
Winged
Winged
Winged
Fluidly Unsure
I was neither joking nor was I blaming IE/MS. If anything, I was blaming EE.
My point was about an end-users over reaction to a minuscule event. There are
companies that feed off people's fears of computers. That in itself could
qualify as a DoS because people will not get anything done while they are
calling NOS or waiting on hold for Semantec.
--
Liquid
Fuzzy Logic
news:59idnQa7aIKu7gve...@adelphia.com:
> I do not see warning people about a seriously critical security hole as
> being trivial. Tell that to the people that lose their credit card info
> (or whatever)....I am sure they would love to hear you explaination
> about how "trivial" it is...
While the potential for harm is there the fact is that it hasn't been
exploited and even it it were it's unlikely anyones credit card number
would be obtained.
Besides if you following Microsoft's advice and set the security on the
Internet zone to High you are not vulnerable:
http://www.microsoft.com/athome/security/online/browsing_safety.mspx
> However, it is strange that Firefox gets press for a trivial IDN
> security issue and IE gets none for a browser remote code execution
> security issue. Don't you think that is a little strange?
Firefox got market share by claiming it was 'more secure' than IE and thus
attracts more attention when it's found to be vulnerable. It's interesting
that Firefox is now downplaying the security angle in favor of a 'better
web experience'.
> It has been how long now 2 weeks and not a peep on any of the popular
> web sites....Yet the media loves to sensationalize things...still not a
> peep...
Obviously Microsoft has payed off all the major media providers;-)
> Sorry but I think their is a little political (marketing) pressure
> here....
I bet you haven't heard anything about a similar (buffer overflow could
lead to remote code exexcution) bug in Firefox 1.5 that's been around for
about a week now.
https://bugzilla.mozilla.org/show_bug.cgi?id=319004
http://packetstormsecurity.org/0512-exploits/firefox-1.5-buffer-overflow.txt
Perhaps computer security vulnerabilities are getting to be so commonplace
that the media can't be bothered to report them anymore?
Fuzzy Logic
news:06ednWvfi8486Qve...@adelphia.com:
> I think the point here is that home users (who usually are the people that
> get crewed more often than not) deserve to be warned that using IE right
> now is very risky. Frankly MS OWES it to the home users...For example,
they
> could easily post the news on their site...or popup a window when a
> windowsupdate is kicked off. But then again, they really do not care much.
Regardless of the methods used to make people aware of this many people are
clueless. People that are concerned about computer security have already
taken the precautions to prevent this and the ones that don't are difficult
to help.
Microsoft has done the following:
http://www.microsoft.com/athome/security/online/browsing_safety.mspx
http://www.microsoft.com/technet/security/advisory/911302.mspx
Imhotep
>
> "Imhotep" <imh...@nospam.com> wrote in message
> news:06ednWvfi8486Qve...@adelphia.com...
>
>> I think the point here is that home users (who usually are the people
>> that get crewed more often than not) deserve to be warned that using IE
>> right now is very risky. Frankly MS OWES it to the home users...For
>> example, they
>> could easily post the news on their site...or popup a window when a
>> windowsupdate is kicked off. But then again, they really do not care
>> much.
>
> I disagree. Warning home users about a bug that is unlikely to hit them
> and for which there is no patch, when there are bigger things for home
> users to
> worry about, won't do anything but cause panic and FUD.
Here is where you and I disagree (alot). People should always be warned if
the software they are using is unsafe (and especially if it is critical) at
least and informed user can make a decision about what they want to risk
and want they do not want to risk. In either case people should be allowed
the choice. Frankly, what makes you think you are the person qualified to
make that choice for me? for anyone else? Are you going to fix my machine?
Are you going to fix my credit?
> I write and send
> security alerts to a large audience at work and haven't written anything
> about this. www.us-cert.gov hasn't put this as an alert on their home
> page.
Common now! Both you and I know that Cert has a policy of NOT publishing
warnings UNTIL there is a fix! Don't try to "snow" me, you will waste your
time.
> I'd be really surprised if a DoD IAVA had been issued on this.
Well, the DOE HAS taken action...
> The
> various other security companies that make their living on recycling
> security alerts to techies haven't been raising the alarm, and these are
> companies that are
> not always friendly to Microsoft or vulnerable to bribes. Face it, no one
> in or out of the security industry is rating this as being critical enough
> to warn home users.
Yes, I guess the bad publicity will cost MS some dollars. Face it. It is
pretty pathetic that they people expected to pay top dollar for their
sotware are not worth a simple "heads up" message....screwed again my MS.
Imhotep
Fuzzy Logic
news:GMqdnYeVCcURnjze...@adelphia.com:
> karl levinson, mvp wrote:
>
>>
>> "Imhotep" <imh...@nospam.com> wrote in message
>> news:06ednWvfi8486Qve...@adelphia.com...
>>
>>> I think the point here is that home users (who usually are the people
>>> that get crewed more often than not) deserve to be warned that using
>>> IE right now is very risky. Frankly MS OWES it to the home users...For
>>> example, they
>>> could easily post the news on their site...or popup a window when a
>>> windowsupdate is kicked off. But then again, they really do not care
>>> much.
>>
>> I disagree. Warning home users about a bug that is unlikely to hit
>> them and for which there is no patch, when there are bigger things for
>> home users to
>> worry about, won't do anything but cause panic and FUD.
>
> Here is where you and I disagree (alot). People should always be warned
> if the software they are using is unsafe (and especially if it is
> critical) at least and informed user can make a decision about what they
> want to risk and want they do not want to risk. In either case people
> should be allowed the choice. Frankly, what makes you think you are the
> person qualified to make that choice for me? for anyone else? Are you
> going to fix my machine? Are you going to fix my credit?
OK here you go:
THE SOFTWARE YOU USE IS UNSAFE!!!
Regardless of the OS and browser you use there are vulnerabilities in it.
They may not have been discovered YET but they are there just waiting to
be found. Ultimately your security depends on you. If you visit
questionable sites, open unsolicited attachments etc. no software can
protect you from your own stupidity.
These guys are on the right track: