«

Karl Levinson, mvp wrote:

>
> "Imhotep" <> wrote in message
> news: ...
>
>> >>This vulnerability affects Firefox as well. So it's not really an "IE
>> >>vuln."
>> >
>> >>http://xforce.iss.net/xforce/xfdb/20783
>> >
>> > From that page
>> > "It is reported that this vulnerability could be exploited to cause a
>> > denial of service on Firefox and Opera Web browsers, but remote code
>> > execution is not possible."
>> >
>> > I would say that remote code execution is far worse than crashing the
>> > browser.
>>
>> ...thanks. That is exactly what I have been trying to say...
>
> No, what you've been trying to say is that Microsoft was severely in error
> and should not have rated this as "low" when it was "only a denial of
> service." But that's the opposite of what the two of you are saying now
> when considering the exact same vulnerability affecting Firefox, that it's
> OK to minimize the Firefox vuln as being "just a denial of service."
> There are two different viewpoints being expressed here that are
> inconsistent with
> each other. If the Firefox vuln is "only a denial of service," then the
> IE vuln has only been a known remote code execution vuln for a week or so,
> not six months.
>
> Microsoft is being faulted here for not notifying customers [although it
> has]. I couldn't find anything on the Firefox web site about this. Not
> only haven't they patched this, they haven't notified customers like
> Microsoft has. Presumably they're still testing and reproducing the
> vulnerability. Which goes back to what I was saying about not assuming
> that Microsoft can necessarily always repro a vuln overnight when a finder
> refuses to give them all the details.


The bug finder did not notify Firefox. He/She notified
Microsoft....Microsoft then sat on it's hands for 6 or so months not fixing
the bug and now allowing people to get cracked.

Imhotep

karl levinson, mvp wrote:

>
> "Unruh" <unruh-> wrote in message
> news:dmflb8$2fa$...
>
>> I never said anything like that. I said that remote code execution is
>> much worse than denial of service and I still stand by that.
>
> That's not in dispute.
>
>>>are two different viewpoints being expressed here that are inconsistent
>>>with
>>>each other. If the Firefox vuln is "only a denial of service," then the
>>>IE
>>>vuln has only been a known remote code execution vuln for a week or so,
>>>not
>>>six months.
>>
>> And I said "only denial of service" where?
>
> Check the message headers. I wasn't responding to you.
>
>>>Microsoft is being faulted here for not notifying customers [although it
>>>has]. I couldn't find anything on the Firefox web site about this. Not
>>>only haven't they patched this, they haven't notified customers like
>>>Microsoft has. Presumably they're still testing and reproducing the
>>>vulnerability. Which goes back to what I was saying about not assuming
>>>that
>>>Microsoft can necessarily always repro a vuln overnight when a finder
>>>refuses to give them all the details.
>>
>> 6 months sounds a bit extreme however. You must live at the north pole or
>> south pole, for that to be overnight.
>
> Or, perhaps they rated it as low priority because it was "only a denial of
> service."


Again, low are not it HAS BEEN 6 months. Second, Microsoft obviously dropped
the ball in evaluating the security hole....for 6 months...which is the
point of this thread.

Imhotep

"Imhotep" <> wrote in message
news:KamdnUm_mJFzahHeRVn-...

> The bug finder did not notify Firefox. He/She notified
> Microsoft....

Where did you read that? I have found nothing to show Microsoft was
notified of this.

> Microsoft then sat on it's hands for 6 or so months not fixing
> the bug and now allowing people to get cracked.

You don't know and are only guessing what Microsoft did or didn't do with
this. As you stated, remote code execution vulns are worse than browser
crash vulns. So, by that statement, Microsoft was correct to prioritize
working on fixing other remote code execution vulns first.

"Imhotep" <> wrote in message
news:KamdnUi_mJHSZRHeRVn-...

> > Or, perhaps they rated it as low priority because it was "only a denial
of
> > service."
>
> Again, low are not it HAS BEEN 6 months. Second, Microsoft obviously
dropped
> the ball in evaluating the security hole....for 6 months...which is the
> point of this thread.

No, like you, Microsoft prioritized it lower than other vulns, because like
you, they consider remote code execution vulns to be worse than browser
crash vulns.

"Karl Levinson, mvp" <> writes:


>"Imhotep" <> wrote in message
>news:KamdnUi_mJHSZRHeRVn-...

>> > Or, perhaps they rated it as low priority because it was "only a denial
>of
>> > service."
>>
>> Again, low are not it HAS BEEN 6 months. Second, Microsoft obviously
>dropped
>> the ball in evaluating the security hole....for 6 months...which is the
>> point of this thread.

>No, like you, Microsoft prioritized it lower than other vulns, because like
>you, they consider remote code execution vulns to be worse than browser
>crash vulns.

You mean Microsoft had so many "remote code execution" vulnerabilities that
they could not get to serious but lesser things in 6 months? They claim to
be able to rewrite a whole operating system in only a few times that
timeframe. If your scenario is correct then MS is far worse than its worst
critics claim it is.

In article <dmngj9$m2$>, Unruh <unruh-> wrote:
>You mean Microsoft had so many "remote code execution" vulnerabilities that
>they could not get to serious but lesser things in 6 months? They claim to
>be able to rewrite a whole operating system in only a few times that
>timeframe. If your scenario is correct then MS is far worse than its worst
>critics claim it is.

Or, to put it a different way, Microsoft could have added another patch that
likely requires you to reboot your operating system for a low-level
denial-of-service issue that wasn't being exploited, and because it was a
low-level DoS, wasn't likely to be exploited.

Yeah, that would be just wonderful, wouldn't it? "Microsoft made me reboot my
machine - again - for /nothing/?"

You can't just release patches and assume that everyone will be happy.

You have to test the patches (and remember, not everyone installs every patch,
so you have to test a number of different variations of installations), and
then you have to decide "is the damage to our users' systems going to be
greater if we release the patch than if we wait for the next service pack or
other patch to this portion?"

For IE, the chances would be high that some other patch would need to go out,
so why force an update (and a reboot) for a minor issue, knowing that it would
likely not be attacked before the next time you got to issue a patch?

You are talking in such black and white terms, it's as if you miss the
whole complexity of the issue.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | .
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

"Alun Jones" <> wrote in message
news:iJidnST8nq6s9hLeRVn-...
> In article <dmngj9$m2$>, Unruh
<unruh-> wrote:

> For IE, the chances would be high that some other patch would need to go
out,
> so why force an update (and a reboot) for a minor issue, knowing that it
would
> likely not be attacked before the next time you got to issue a patch?

Not to mention that there are and always will be plenty of ways to DoS any
browser. Just put it into a never ending loop, for example. No big deal,
really, just shut down your browser and re-start it and the problem goes
away, unless the user is stupid enough to go back to the site that DoSsed
them in the first place. That's why you never ever see someone trying to
execute a browser DoS.

Karl Levinson, mvp wrote:

>
> "Imhotep" <> wrote in message
> news:KamdnUm_mJFzahHeRVn-...
>
>> The bug finder did not notify Firefox. He/She notified
>> Microsoft....
>
> Where did you read that? I have found nothing to show Microsoft was
> notified of this.

Microsoft was notified, what 8 months ago? After reviewing it, they
mistakenly "evaluated" it as low...

>> Microsoft then sat on it's hands for 6 or so months not fixing
>> the bug and now allowing people to get cracked.
>
> You don't know and are only guessing what Microsoft did or didn't do with
> this. As you stated, remote code execution vulns are worse than browser
> crash vulns. So, by that statement, Microsoft was correct to prioritize
> working on fixing other remote code execution vulns first.

Please, spare me. What I said was given the choice of a browser blowing up
or allowing ANY web site to run ANY binary on my PC, I would wisely choose
my browser blowing up. Now, face it, once and for all, your mighty
Microsoft, yet again, screwed thier customers by not putting any "research"
into evaluating this serious security hole. You can fight this fact, and
try to twist words around but, all you do is prove to me that I am right in
saying "Yet again MS users are better off looking at another
platform"...squirm all you want but you are on the "hook"...

Imhotep

Karl Levinson, mvp wrote:

>
> "Imhotep" <> wrote in message
> news:KamdnUi_mJHSZRHeRVn-...
>
>> > Or, perhaps they rated it as low priority because it was "only a denial
> of
>> > service."
>>
>> Again, low are not it HAS BEEN 6 months. Second, Microsoft obviously
> dropped
>> the ball in evaluating the security hole....for 6 months...which is the
>> point of this thread.
>
> No, like you, Microsoft prioritized it lower than other vulns, because
> like you, they consider remote code execution vulns to be worse than
> browser crash vulns.


....I also believe that such a popular application, as as IE, should not go
unpatched for what 8 months now? No matter what what level of security hole
it is/was evaluated to. Unlike you, I do not make such foolish excuses...

Imhotep

Unruh wrote:

> "Karl Levinson, mvp" <> writes:
>
>
>>"Imhotep" <> wrote in message
>>news:KamdnUi_mJHSZRHeRVn-...
>
>>> > Or, perhaps they rated it as low priority because it was "only a
>>> > denial
>>of
>>> > service."
>>>
>>> Again, low are not it HAS BEEN 6 months. Second, Microsoft obviously
>>dropped
>>> the ball in evaluating the security hole....for 6 months...which is the
>>> point of this thread.
>
>>No, like you, Microsoft prioritized it lower than other vulns, because
>>like you, they consider remote code execution vulns to be worse than
>>browser crash vulns.
>
> You mean Microsoft had so many "remote code execution" vulnerabilities
> that they could not get to serious but lesser things in 6 months? They
> claim to be able to rewrite a whole operating system in only a few times
> that timeframe. If your scenario is correct then MS is far worse than its
> worst critics claim it is.


Ah you also forgot totally redoing the XBox...I guess that was were their
attention was....

But, hey, I heard that the XBox was "blue screening" too!!!!!! Somethings
never change, like Microsoft "quality".

Imhotep