Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Where is the IE zero day exploit in the news...

Reply
Thread Tools

Where is the IE zero day exploit in the news...

 
 
Imhotep
Guest
Posts: n/a
 
      12-02-2005
Alun Jones wrote:

> In article <dmngj9$m2$(E-Mail Removed)>, Unruh
> <(E-Mail Removed)> wrote:
>>You mean Microsoft had so many "remote code execution" vulnerabilities
>>that they could not get to serious but lesser things in 6 months? They
>>claim to be able to rewrite a whole operating system in only a few times
>>that timeframe. If your scenario is correct then MS is far worse than its
>>worst critics claim it is.

>
> Or, to put it a different way, Microsoft could have added another patch
> that likely requires you to reboot your operating system for a low-level
> denial-of-service issue that wasn't being exploited, and because it was a
> low-level DoS, wasn't likely to be exploited.
>
> Yeah, that would be just wonderful, wouldn't it? "Microsoft made me
> reboot my machine - again - for /nothing/?"
>
> You can't just release patches and assume that everyone will be happy.
>
> You have to test the patches (and remember, not everyone installs every
> patch, so you have to test a number of different variations of
> installations), and then you have to decide "is the damage to our users'
> systems going to be greater if we release the patch than if we wait for
> the next service pack or other patch to this portion?"
>
> For IE, the chances would be high that some other patch would need to go
> out, so why force an update (and a reboot) for a minor issue, knowing that
> it would likely not be attacked before the next time you got to issue a
> patch?
>
> You are talking in such black and white terms, it's as if you miss the
> whole complexity of the issue.
>
> Alun.
> ~~~~
>
> [Please don't email posters, if a Usenet response is appropriate.]



....So what you are saying is that Microsoft can not get patches (or asses
security holes) right either? OK, I agree with that....

Oh, there was the 051 patch fiasco...just recently...but hey did you buy the
new XBox? I heard it has a new "blue Screen" feature!

Imhotep
 
Reply With Quote
 
 
 
 
karl levinson, mvp
Guest
Posts: n/a
 
      12-02-2005

"Imhotep" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...

> ...I also believe that such a popular application, as as IE, should not go
> unpatched for what 8 months now? No matter what what level of security
> hole
> it is/was evaluated to. Unlike you, I do not make such foolish excuses...


I don't particularly want patches to be released for IE denial of services.
I'd rather keep the vuln, as it is low risk. I'd rather Microsoft put their
time towards more significant security issues. You can't assume that a
patch six months ago for the DoS would have fixed this issue as well, even
if they are related or the same. Many Microsoft, Oracle and other patches
have fixed one particular vector of attacking a vuln, but another vector is
found that shows the machine still has that vulnerability.

Where are the Firefox and Opera patches?

We know that because of Microsoft's architecture and beta testing, it takes
a minimum of 45 days for any Microsoft patch to be released. This is
necessary because many third party programs rely on IE / MSHTML rendering,
while few rely on Firefox / Mozilla for rendering. A Firefox patch isn't
going to break anything but Firefox, so they can put it out as fast as they
want. Things are also worse when things break for paying customers who can
flood your support lines for support. Firefox has no paying customers.

You keep talking about Xbox taking away security resources. The people and
departments at Microsoft who do security response and patches are totally
different, there is no sharing of resources. I personally wouldn't have
chosen to design a gaming console or an ATM on a Windows-based OS myself,
and I don't own or care about xbox.



 
Reply With Quote
 
 
 
 
karl levinson, mvp
Guest
Posts: n/a
 
      12-02-2005

"Imhotep" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...

> Microsoft was notified, what 8 months ago?


Microsoft was not notified. It was posted to the Internet.

> After reviewing it, they mistakenly "evaluated" it as low...


You have nothing to back this up. You evaluated it as low yourself, when
the same vuln was found in Firefox.

> into evaluating this serious security hole. You can fight this fact, and
> try to twist words around but, all you do is prove to me that I am right
> in
> saying "Yet again MS users are better off looking at another
> platform"...


This whole Microsoft vs. open source argument is boring. Use whatever OS
and browser you want, but leave me out of your purchasing decision. This is
a tech support forum, this is nothing but a waste of our time.

> my browser blowing up. Now, face it, once and for all, your mighty
> Microsoft, yet again, screwed thier customers by not putting any
> "research"


> squirm all you want but you are on the "hook"...


"My mighty Microsoft?" Me on the hook? I'm not Microsoft, and I'm not a
Microsoft pawn. I use and encourage others to use non-Microsoft products.
There are lots of things I don't like about Microsoft and things I've said
against Microsoft over the years. It hurts me not at all when you insult
Microsoft or decline to buy their products. Just when you insult Microsoft,
make sure it's for valid reasons. I've got plenty of them myself.



 
Reply With Quote
 
Alun Jones
Guest
Posts: n/a
 
      12-02-2005
In article <(E-Mail Removed)>, Imhotep
<(E-Mail Removed)> wrote:
>Please, spare me. What I said was given the choice of a browser blowing up
>or allowing ANY web site to run ANY binary on my PC, I would wisely choose
>my browser blowing up. Now, face it, once and for all, your mighty
>Microsoft, yet again, screwed thier customers by not putting any "research"
>into evaluating this serious security hole. You can fight this fact, and
>try to twist words around but, all you do is prove to me that I am right in
>saying "Yet again MS users are better off looking at another
>platform"...squirm all you want but you are on the "hook"...


Your argument about Microsoft "not researching" this security issue is
specious. There's an old adage in development that "you can't test bugs out
of a product" - this doesn't just mean that a developer has to fix the
product, it also means that test can only find bugs, it can't prove that all
the bugs have been found.

The same is true of research into a security bug. You can find a way to
exploit a security bug, but no matter how much research you throw into it, you
can't, in general, say "there is no way to exploit this security bug".

A while back, the accepted opinion was that heap memory was impossible to
exploit. Nowadays, it's clear that this is no longer true. Similarly, it may
have taken a leap of logic to find out exactly how to exploit what appeared to
its researchers to be merely a DoS.

Don't forget that Microsoft wasn't alone in researching this issue - the
original discoverer was also researching it, and categorised it as a DoS only,
as well. Only recently has it become clear that it is exploitable. As a
result, with all the research suggesting that the bug was a DoS, it was
handled correctly as a DoS.

What I'd like to ask is, if it's so easy to make this into an exploit, why
_you_ weren't pointing this obvious fact out to Microsoft six months ago? You
make it abundantly clear above that you are superior to Microsoft's own
security staff, yet even you were unaware that this exploit existed. Why is
that?

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | http://www.velocityreviews.com/forums/(E-Mail Removed).
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
 
Reply With Quote
 
Alun Jones
Guest
Posts: n/a
 
      12-02-2005
In article <(E-Mail Removed)>, "karl levinson, mvp"
<(E-Mail Removed)> wrote:
>"My mighty Microsoft?" Me on the hook? I'm not Microsoft, and I'm not a
>Microsoft pawn. I use and encourage others to use non-Microsoft products.
>There are lots of things I don't like about Microsoft and things I've said
>against Microsoft over the years. It hurts me not at all when you insult
>Microsoft or decline to buy their products. Just when you insult Microsoft,
>make sure it's for valid reasons. I've got plenty of them myself.


To back up what Karl says, my rationale for most of my postings here is as
follows:

Those of you screaming about fantasised bugs or incorrectly perceived
stupidity on Microsoft's part are making it difficult for us to get heard when
we complain about real bugs and real stupidity. You also make it real easy
for Microsoft to address those fantasies with spin rather than the realities
that require actual code.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | (E-Mail Removed).
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
 
Reply With Quote
 
Alun Jones
Guest
Posts: n/a
 
      12-02-2005
In article <(E-Mail Removed)>, Imhotep
<(E-Mail Removed)> wrote:
>Ah you also forgot totally redoing the XBox...I guess that was were their
>attention was....


Enough with the XBox conspiracy theories already. Microsoft is not a single
entity, with only one developer, one tester and one one salesperson - the XBox
division is a different division from anything that you're talking about. The
only way you might claim that patching IE gets delayed to ship the XBox is if
you could show that the IE development team quit to go and work on the XBox.
Without that information, you sound like a loony.

>But, hey, I heard that the XBox was "blue screening" too!!!!!! Somethings
>never change, like Microsoft "quality".


Do you know any software that didn't have bugs creep past testing?

Bugs are a hazard of the profession - what marks one company above another is
not the number of bugs discovered, but what they do to prevent future bugs,
especially future occurrences of the same bug.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | (E-Mail Removed).
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
 
Reply With Quote
 
Alun Jones
Guest
Posts: n/a
 
      12-02-2005
In article <(E-Mail Removed)>, Imhotep
<(E-Mail Removed)> wrote:
>....So what you are saying is that Microsoft can not get patches (or asses
>security holes) right either? OK, I agree with that....


What I am saying is that noone assessed this security hole "right", for its
first six months of existence; and that patches take time and require testing,
that they often require a reboot, and that users get irritated with repeatedly
having to reboot machines for updates that fix minor problems.

>Oh, there was the 051 patch fiasco...just recently...but hey did you buy the
>new XBox? I heard it has a new "blue Screen" feature!


Why are you obsessed with the XBox? Put it on your list in your letter to
Santa, and wait. There isn't a prize for posting the most articles
referencing it unnecessarily.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | (E-Mail Removed).
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
 
Reply With Quote
 
fluidly unsure
Guest
Posts: n/a
 
      12-03-2005
Karl Levinson, mvp wrote:
> "Alun Jones" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>
>>In article <dmngj9$m2$(E-Mail Removed)>, Unruh

>
> <(E-Mail Removed)> wrote:
>
>
>>For IE, the chances would be high that some other patch would need to go

>
> out,
>
>>so why force an update (and a reboot) for a minor issue, knowing that it

>
> would
>
>>likely not be attacked before the next time you got to issue a patch?

>
>
> Not to mention that there are and always will be plenty of ways to DoS any
> browser. Just put it into a never ending loop, for example. No big deal,
> really, just shut down your browser and re-start it and the problem goes
> away, unless the user is stupid enough to go back to the site that DoSsed
> them in the first place. That's why you never ever see someone trying to
> execute a browser DoS.
>
>
>


But many users will panic when the browser stops functioning. They seem
to be afraid the computer might explode if the hit the close button too
hard. Isn't that a social engineering Dos?

What about all the companies selling with a big FUD FACTOR. Like
"Evidence Eliminator"'s attempt to scare people into buying their
product because hackers can see their harddisk from the Internet!


--

Liquid
 
Reply With Quote
 
Todd H.
Guest
Posts: n/a
 
      12-03-2005
"karl levinson, mvp" <(E-Mail Removed)> writes:
> "My mighty Microsoft?" Me on the hook? I'm not Microsoft, and I'm
> not a Microsoft pawn. I use and encourage others to use
> non-Microsoft products. There are lots of things I don't like about
> Microsoft and things I've said against Microsoft over the years. It
> hurts me not at all when you insult Microsoft or decline to buy
> their products. Just when you insult Microsoft, make sure it's for
> valid reasons. I've got plenty of them myself.


Well said.

See, the problem here is the Imhotep talks like someone who has never
produced anything of complexity, had to support it, or had to support
any sizable numbers of end customers of a complex system in all of his
life.

Otherwise, he'd realize that his beef over this issue is completely
unreasonable. I mean, if you're going to pick on Microsoft (and God,
who in the security community doesn't?), the menu of "things to have a
legitimate gripe about" is so large, you have to be an idiot to waste
so much effort trying to order something that's not on that menu.
Imhotep appears to be That Guy, though.

Truth is, this exact same scenario could happen to Mozilla or Opera,
or any other software vendor tomorrow if anyone came up with a remote
exploit that was related to any prior unfixed, low-threat DOS
condition in their products.

Best Regards,
--
Todd H.
http://www.toddh.net/
 
Reply With Quote
 
Charlie Tame
Guest
Posts: n/a
 
      12-03-2005

"Todd H." <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> "karl levinson, mvp" <(E-Mail Removed)> writes:
>> "My mighty Microsoft?" Me on the hook? I'm not Microsoft, and I'm
>> not a Microsoft pawn. I use and encourage others to use
>> non-Microsoft products. There are lots of things I don't like about
>> Microsoft and things I've said against Microsoft over the years. It
>> hurts me not at all when you insult Microsoft or decline to buy
>> their products. Just when you insult Microsoft, make sure it's for
>> valid reasons. I've got plenty of them myself.

>
> Well said.
>
> See, the problem here is the Imhotep talks like someone who has never
> produced anything of complexity, had to support it, or had to support
> any sizable numbers of end customers of a complex system in all of his
> life.
>
> Otherwise, he'd realize that his beef over this issue is completely
> unreasonable. I mean, if you're going to pick on Microsoft (and God,
> who in the security community doesn't?), the menu of "things to have a
> legitimate gripe about" is so large, you have to be an idiot to waste
> so much effort trying to order something that's not on that menu.
> Imhotep appears to be That Guy, though.
>
> Truth is, this exact same scenario could happen to Mozilla or Opera,
> or any other software vendor tomorrow if anyone came up with a remote
> exploit that was related to any prior unfixed, low-threat DOS
> condition in their products.
>
> Best Regards,
> --
> Todd H.
> http://www.toddh.net/


Exactly so Todd, which is why I tried to point out earlier that such
exaggeration of relatively trivial issues actually reflects badly upon the
skills and motives of the originator.

Personally I think one of the biggest problems MS have has been their need
to keep some kind of backward compatibility whilst at the same time
requiring "Ease of use" as one of the main features. It's led (IMHO) to some
complex and probably indecent relationships between windows components but
hasn't really achieved the goal of common code and module re-usability it
should have.

I think this is one development advantage Linux had from it's conception. If
there are rules for using a module you are forced to write your part in
accordance with those rules, else it is your part that won't work - you
cannot approach the author of the module you wish to use and or alter it
yourself with what may be a "Bad" idea without it being reviewed
extensively.

I mean I fully understand MS trying to build IE into the system but see no
real commercial advantage in trying to force people to use what is
essentially a free giveaway product. There are quite a few instances where
IE gets broken and lots of other things are affected, while FireFox keep on
working. Aside from windows update there's nothing much that can only be
done with IE... and for windows update I don't see why they need to pursue
ActiveX as they have done. I'd have thought a separate utility for updates a
viable option.

I think it's better to approach these things with a view to trying to
improve the product rather than having an obvious "Bashing" agenda. I don't
particularly feel I should bash "Linux" or the "Linux Community", or any
other OS for that matter - but I do feel that many millions of computer
users don't really want an in depth learning experience, they want to buy a
computer and simply "Use" it. I believe I see evidence of this in the trend
toward more GUI stuff - which in turn brings the same kinds of problems that
Windows has.

Charlie


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: Windump 7 zero day exploit out! WoW! Thats FAST! chuckcar Computer Support 3 11-14-2009 05:06 PM
Re: Windump 7 zero day exploit out! WoW! Thats FAST! VanguardLH Computer Support 4 11-14-2009 03:16 PM
Zero day exploit shatters windopz desktop products 7 Computer Support 7 11-08-2006 09:09 PM
ANTI-VIRUS May Prove Insufficient in Battling Zero-Day WMF Exploit Au79 Computer Support 0 01-07-2006 01:04 AM
Zero-day IE exploit... Imhotep Computer Security 21 11-28-2005 06:17 AM



Advertisments