Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Where is the IE zero day exploit in the news...

Reply
Thread Tools

Where is the IE zero day exploit in the news...

 
 
Imhotep
Guest
Posts: n/a
 
      12-04-2005
karl levinson, mvp wrote:

>
> "Imhotep" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>
>> Microsoft was notified, what 8 months ago?

>
> Microsoft was not notified. It was posted to the Internet.


Microsoft knew about this security hole 8 months ago. Now, the code to take
advantage of the security hole for remote code execution WAS posted a month
ago that works on the SAME security vulnerability.
Stop twisting words and playing games.......


>> After reviewing it, they mistakenly "evaluated" it as low...

>
> You have nothing to back this up. You evaluated it as low yourself, when
> the same vuln was found in Firefox.


Nothing to back this up? Hummm...Microsoft had it listed as a DOS and
evaluated it as a LOW risk. True or false? Second, the vulnerably in
Firefox is just a DOS. Since the code is freely available to review (which
it was) the code was reviewed and it was written that the remote code
exploitation is IE ONLY! Maybe if IE was Open Source people could have
identified the remote code vulnerability in IE instead of getting screwed
by Microsoft again, and again, and again.

>> into evaluating this serious security hole. You can fight this fact, and
>> try to twist words around but, all you do is prove to me that I am right
>> in
>> saying "Yet again MS users are better off looking at another
>> platform"...

>
> This whole Microsoft vs. open source argument is boring. Use whatever OS
> and browser you want, but leave me out of your purchasing decision. This
> is a tech support forum, this is nothing but a waste of our time.


Well, it would be nice if you could look at this in a logical way instead of
being a Microsoft advocate. Second, I originally posted the question of why
this was not being posted on the non techie popular web sites. I am still
waiting for your answer.....

>> my browser blowing up. Now, face it, once and for all, your mighty
>> Microsoft, yet again, screwed thier customers by not putting any
>> "research"

>
>> squirm all you want but you are on the "hook"...

>
> "My mighty Microsoft?" Me on the hook? I'm not Microsoft, and I'm not a
> Microsoft pawn. I use and encourage others to use non-Microsoft products.
> There are lots of things I don't like about Microsoft and things I've said
> against Microsoft over the years. It hurts me not at all when you insult
> Microsoft or decline to buy their products. Just when you insult
> Microsoft,
> make sure it's for valid reasons. I've got plenty of them myself.


OK. However, please be a little more neutral. I used to use Microsoft
products also. However, like most people I got tired of the endless lies
and bullshit whitepapers.....

Imhotep
 
Reply With Quote
 
 
 
 
Imhotep
Guest
Posts: n/a
 
      12-04-2005
Todd H. wrote:

> "karl levinson, mvp" <(E-Mail Removed)> writes:
>> "My mighty Microsoft?" Me on the hook? I'm not Microsoft, and I'm
>> not a Microsoft pawn. I use and encourage others to use
>> non-Microsoft products. There are lots of things I don't like about
>> Microsoft and things I've said against Microsoft over the years. It
>> hurts me not at all when you insult Microsoft or decline to buy
>> their products. Just when you insult Microsoft, make sure it's for
>> valid reasons. I've got plenty of them myself.

>
> Well said.
>
> See, the problem here is the Imhotep talks like someone who has never
> produced anything of complexity, had to support it, or had to support
> any sizable numbers of end customers of a complex system in all of his
> life.


....and you talk like someone who talks out of his ass. You seem to be the
type that reads and believes every whitepaper you come across but when
asked a serious technical question run to your friendly contractor. Spare
me your foolish gibberish. You have no idea who I am or what I do for a
living. Meatball.

> Otherwise, he'd realize that his beef over this issue is completely
> unreasonable. I mean, if you're going to pick on Microsoft (and God,
> who in the security community doesn't?), the menu of "things to have a
> legitimate gripe about" is so large, you have to be an idiot to waste
> so much effort trying to order something that's not on that menu.
> Imhotep appears to be That Guy, though.


I have asked why this news (I have not looked in about three days) was not
in the non techie popular news sites. Why? Because it usually are the home
users getting screwed more than anyone else. This is a legitmate gripe, as
again, these are the people getting screwed. I would think that someone as,
ahem, intelligent as you could comprehend that.

> Truth is, this exact same scenario could happen to Mozilla or Opera,
> or any other software vendor tomorrow if anyone came up with a remote
> exploit that was related to any prior unfixed, low-threat DOS
> condition in their products.


Did you even read any of the prior threads? That "gripe" as you put it was
about how Microsoft with all of it's money dropped that ball on a very
critical security hole and as such put millions of pc users in bad
position. It was not about how a security hole could come into being on
other software (da!).

Imhotep

> Best Regards,


 
Reply With Quote
 
 
 
 
Imhotep
Guest
Posts: n/a
 
      12-05-2005
Charlie Tame wrote:

>
> "Todd H." <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> "karl levinson, mvp" <(E-Mail Removed)> writes:
>>> "My mighty Microsoft?" Me on the hook? I'm not Microsoft, and I'm
>>> not a Microsoft pawn. I use and encourage others to use
>>> non-Microsoft products. There are lots of things I don't like about
>>> Microsoft and things I've said against Microsoft over the years. It
>>> hurts me not at all when you insult Microsoft or decline to buy
>>> their products. Just when you insult Microsoft, make sure it's for
>>> valid reasons. I've got plenty of them myself.

>>
>> Well said.
>>
>> See, the problem here is the Imhotep talks like someone who has never
>> produced anything of complexity, had to support it, or had to support
>> any sizable numbers of end customers of a complex system in all of his
>> life.
>>
>> Otherwise, he'd realize that his beef over this issue is completely
>> unreasonable. I mean, if you're going to pick on Microsoft (and God,
>> who in the security community doesn't?), the menu of "things to have a
>> legitimate gripe about" is so large, you have to be an idiot to waste
>> so much effort trying to order something that's not on that menu.
>> Imhotep appears to be That Guy, though.
>>
>> Truth is, this exact same scenario could happen to Mozilla or Opera,
>> or any other software vendor tomorrow if anyone came up with a remote
>> exploit that was related to any prior unfixed, low-threat DOS
>> condition in their products.
>>
>> Best Regards,
>> --
>> Todd H.
>> http://www.toddh.net/

>
> Exactly so Todd, which is why I tried to point out earlier that such
> exaggeration of relatively trivial issues actually reflects badly upon the
> skills and motives of the originator.


Hummmm...Let's look at some numbers.

1) IE => 85% marketshare of all PCs

2) IE Remote Execution code that STILL is unpatched

Still don't see this as "...trivial issue..."

Enough said.

Imhotep


> Personally I think one of the biggest problems MS have has been their need
> to keep some kind of backward compatibility whilst at the same time
> requiring "Ease of use" as one of the main features. It's led (IMHO) to
> some complex and probably indecent relationships between windows
> components but hasn't really achieved the goal of common code and module
> re-usability it should have.
>
> I think this is one development advantage Linux had from it's conception.
> If there are rules for using a module you are forced to write your part in
> accordance with those rules, else it is your part that won't work - you
> cannot approach the author of the module you wish to use and or alter it
> yourself with what may be a "Bad" idea without it being reviewed
> extensively.
>
> I mean I fully understand MS trying to build IE into the system but see no
> real commercial advantage in trying to force people to use what is
> essentially a free giveaway product. There are quite a few instances where
> IE gets broken and lots of other things are affected, while FireFox keep
> on working. Aside from windows update there's nothing much that can only
> be done with IE... and for windows update I don't see why they need to
> pursue ActiveX as they have done. I'd have thought a separate utility for
> updates a viable option.
>
> I think it's better to approach these things with a view to trying to
> improve the product rather than having an obvious "Bashing" agenda. I
> don't particularly feel I should bash "Linux" or the "Linux Community", or
> any other OS for that matter - but I do feel that many millions of
> computer users don't really want an in depth learning experience, they
> want to buy a computer and simply "Use" it. I believe I see evidence of
> this in the trend toward more GUI stuff - which in turn brings the same
> kinds of problems that Windows has.
>
> Charlie


 
Reply With Quote
 
Imhotep
Guest
Posts: n/a
 
      12-05-2005
Alun Jones wrote:

> In article <(E-Mail Removed)>, "karl levinson, mvp"
> <(E-Mail Removed)> wrote:
>>"My mighty Microsoft?" Me on the hook? I'm not Microsoft, and I'm not a
>>Microsoft pawn. I use and encourage others to use non-Microsoft products.
>>There are lots of things I don't like about Microsoft and things I've said
>>against Microsoft over the years. It hurts me not at all when you insult
>>Microsoft or decline to buy their products. Just when you insult
>>Microsoft,
>>make sure it's for valid reasons. I've got plenty of them myself.

>
> To back up what Karl says, my rationale for most of my postings here is as
> follows:
>
> Those of you screaming about fantasised bugs or incorrectly perceived
> stupidity on Microsoft's part are making it difficult for us to get heard
> when
> we complain about real bugs and real stupidity. You also make it real
> easy for Microsoft to address those fantasies with spin rather than the
> realities that require actual code.


Are you saying the IE's Remote Code is not a "real bug". Are you really
saying that? Are you saying that I am just "bitching" because I feel that
they could have handled this a hell-of-a-lot better than they did? Are you
really saying that?

Imhotep

>
> Alun.
> ~~~~
>
> [Please don't email posters, if a Usenet response is appropriate.]


 
Reply With Quote
 
fluidly unsure
Guest
Posts: n/a
 
      12-05-2005
Imhotep wrote:
> Todd H. wrote:
>
>
>>"karl levinson, mvp" <(E-Mail Removed)> writes:
>>
>>>"My mighty Microsoft?" Me on the hook? I'm not Microsoft, and I'm
>>>not a Microsoft pawn. I use and encourage others to use
>>>non-Microsoft products. There are lots of things I don't like about
>>>Microsoft and things I've said against Microsoft over the years. It
>>>hurts me not at all when you insult Microsoft or decline to buy
>>>their products. Just when you insult Microsoft, make sure it's for
>>>valid reasons. I've got plenty of them myself.

>>
>>Well said.
>>
>>See, the problem here is the Imhotep talks like someone who has never
>>produced anything of complexity, had to support it, or had to support
>>any sizable numbers of end customers of a complex system in all of his
>>life.

>
>
> ...and you talk like someone who talks out of his ass. You seem to be the
> type that reads and believes every whitepaper you come across but when
> asked a serious technical question run to your friendly contractor. Spare
> me your foolish gibberish. You have no idea who I am or what I do for a
> living. Meatball.
>
>
>>Otherwise, he'd realize that his beef over this issue is completely
>>unreasonable. I mean, if you're going to pick on Microsoft (and God,
>>who in the security community doesn't?), the menu of "things to have a
>>legitimate gripe about" is so large, you have to be an idiot to waste
>>so much effort trying to order something that's not on that menu.
>>Imhotep appears to be That Guy, though.

>
>
> I have asked why this news (I have not looked in about three days) was not
> in the non techie popular news sites. Why? Because it usually are the home
> users getting screwed more than anyone else. This is a legitmate gripe, as
> again, these are the people getting screwed. I would think that someone as,
> ahem, intelligent as you could comprehend that.
>
>
>>Truth is, this exact same scenario could happen to Mozilla or Opera,
>>or any other software vendor tomorrow if anyone came up with a remote
>>exploit that was related to any prior unfixed, low-threat DOS
>>condition in their products.

>
>
> Did you even read any of the prior threads? That "gripe" as you put it was
> about how Microsoft with all of it's money dropped that ball on a very
> critical security hole and as such put millions of pc users in bad
> position. It was not about how a security hole could come into being on
> other software (da!).


What about the recent outbreak of rootkit and rootkit-like malware? I
read a paper on how to handle that potential threat from MS that was
written last year. They were on ball on that one. They were prepared for
the problem almost a year before SysInternals was.

They've learned from past mistakes. SP2 is fixing many of the problems
they used to deny and they are embracing third-party audits. Remember
when they were so upset with eEye for finding vulnerabilities in their
software? Now they are thanking them for their work.

While they've made some incredibly stupid decisions, they've also made
some good ones. Let's give credit where credit is due.

>
> Imhotep
>
>
>>Best Regards,

>
>



--

Liquid
 
Reply With Quote
 
Todd H.
Guest
Posts: n/a
 
      12-05-2005
Imhotep <(E-Mail Removed)> writes:

> You have no idea who I am or what I do for a living. Meatball.


So enlighten us,...umm eggroll.

Mmmmm. Eggrolls.

Or, actually, don't bother because your thought process on this issue
and others speaks a lot louder than your resume would.

> I have asked why this news (I have not looked in about three days) was not
> in the non techie popular news sites. Why? Because it usually are the home
> users getting screwed more than anyone else. This is a legitmate gripe, as
> again, these are the people getting screwed. I would think that someone as,
> ahem, intelligent as you could comprehend that.


It has hit the popular media but no more than any other security issue
would. That it's very serious in widely deployed software, yet the
media isn't hooting and hollering is indeed curious, and lamentable.
That is actually a useful and interesting insight.

But that's not the argument that makes folks think you're off the deep
end on the Microsoft bashing as a result. Let's be clear what we're
arguing about, butter wings.

> > Truth is, this exact same scenario could happen to Mozilla or Opera,
> > or any other software vendor tomorrow if anyone came up with a remote
> > exploit that was related to any prior unfixed, low-threat DOS
> > condition in their products.

>
> Did you even read any of the prior threads? That "gripe" as you put
> it was about how Microsoft with all of it's money dropped that ball
> on a very critical security hole and as such put millions of pc
> users in bad position. It was not about how a security hole could
> come into being on other software (da!).


It's not about money. It's not about resources. Every business is
about managing risk with finite resources. Yes, even MIcrosoft has
finite resources. If it had infinite resources, it wouldn't be
profitable, and would've gone under long ago.

You contend that it's a hanging crime that Microsoft didn't fix a
denial of service vulnerability for 8 months. I, and a lot of others,
evidently disagree with that, and say yours is an unreasonable gripe
because the vulnerability as originally discovered was not that big a
deal.

Yes, NOW it really is a big friggin deal and people should be
concerned. And, with respect to Microsoft's response, reasonable
folks will start the "hangin crime" timer on Microsoft's response to
the issue from the moment the remote code execution exploit of this
vulnerability was released. Not from when the "harmless denial of
service" release date.

Best Regards,
--
Todd H.
http://www.toddh.net/
 
Reply With Quote
 
Alun Jones
Guest
Posts: n/a
 
      12-05-2005
In article <eTBS29B#(E-Mail Removed)>, "Charlie Tame"
<(E-Mail Removed)> wrote:
>Personally I think one of the biggest problems MS have has been their need
>to keep some kind of backward compatibility whilst at the same time
>requiring "Ease of use" as one of the main features. It's led (IMHO) to some
>complex and probably indecent relationships between windows components but
>hasn't really achieved the goal of common code and module re-usability it
>should have.


This point is worth expanding.

Let's assume Microsoft could prevent all unsecure code from running...
tomorrow.

If they did so, pretty much every application out there would stop running. I
mean, look at the uproar in the press over XP Service Pack 2, where there was
a suggestion that a full 10% of all applications would "be broken by" XP SP2.

The answer, of course, is that those applications were already broken before
XP SP2 came along, but that XP SP2 stopped being "Mr Nice Guy" to them, and
allowing them to operate in such a broken way.

Did this make the 3rd party vendors sit up and listen? Like hell it did. No,
they bitched and moaned about the heavy-handed action Microsoft was taking -
even though they were essentially arguing against security.

Did it make users sit up and listen? Again, hell no. I still meet users who
complain that they aren't going to install XP SP2 because it breaks one or
more of their applications. That means that they would rather run unsecure
software.

Microsoft Windows is shackled by its history, whereas other operating systems
work without such shackles (though the Linux/Unix crowd have their own
shackles to deal with, largely the concept of "it's a system call, it'll never
fail" that seems endemic to the *n*x development world). If Microsoft fixed
every bug tomorrow, statistically speaking, nobody would update to the new
software, because they have applications that need to run today.

And statistically speaking, noone is pressuring the vendors to change their
development tactics. Intuit is "proud" to release yet another version of
Quickbooks that requires you run as an Administrator (or Power User, which is
essentially the same thing). [Sorry, Intuit, but let's face it, you've been
told about this one time and time again, and you don't seem to give a damn.]

Intuit is far from being the only one. Why do you have to be an administrator
to play "Mary Kate & Ashley's Dance Party of the Century"? How many admins do
you know that are fans of the Olsen twins, except in a pervy way? "Rainbow
Six", "Scrabble 2", "Photosuite 4.0", etc, etc ( see
http://www.threatcode.com, or http://support.microsoft.com/?id=307091 for
more) - and yes, some of those listed are Microsoft titles.

[Some of this mess could have bene avoided if the "administrator" privileges
were renamed "janitorial" privileges. That's really what they are.]

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | http://www.velocityreviews.com/forums/(E-Mail Removed).
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
 
Reply With Quote
 
Alun Jones
Guest
Posts: n/a
 
      12-05-2005
In article <(E-Mail Removed)>, Imhotep <(E-Mail Removed)>
wrote:
>Are you saying the IE's Remote Code is not a "real bug". Are you really
>saying that? Are you saying that I am just "bitching" because I feel that
>they could have handled this a hell-of-a-lot better than they did? Are you
>really saying that?


Did I say that?

No.

Then I am not really saying that.

Thank you for playing.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | (E-Mail Removed).
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
 
Reply With Quote
 
karl levinson, mvp
Guest
Posts: n/a
 
      12-05-2005

"Imhotep" <(E-Mail Removed)> wrote in message
news(E-Mail Removed)...

> Hummmm...Let's look at some numbers.
>
> 1) IE => 85% marketshare of all PCs
>
> 2) IE Remote Execution code that STILL is unpatched
>
> Still don't see this as "...trivial issue..."
>
> Enough said.


No one is saying that the vuln is trivial. They're talking about the issue
of this not being widely reported in the mainstream media.

Even this vuln, despite being rated critical, is very unlikely to infect you
or other home users. Browser vulns rarely compromise that many computers.
One of the most famous ones so far was Download.Ject / ADODB.Stream, and
that really did not compromise very many people. So you have some bugs that
cause too much media sensation, and others that don't cause enough. The
media is fickle and are not security experts. It's not a Microsoft / media
conspiracy.

Microsoft patches take usually a few hours to a day to code and at least 45
days to test and release. That's just the way it works. The world
[including you] has asked that MS patches be made more reliable, so the
world is going to have to wait.


 
Reply With Quote
 
Imhotep
Guest
Posts: n/a
 
      12-07-2005
karl levinson, mvp wrote:

>
> "Imhotep" <(E-Mail Removed)> wrote in message
> news(E-Mail Removed)...
>
>> Hummmm...Let's look at some numbers.
>>
>> 1) IE => 85% marketshare of all PCs
>>
>> 2) IE Remote Execution code that STILL is unpatched
>>
>> Still don't see this as "...trivial issue..."
>>
>> Enough said.

>
> No one is saying that the vuln is trivial. They're talking about the
> issue of this not being widely reported in the mainstream media.
>
> Even this vuln, despite being rated critical, is very unlikely to infect
> you
> or other home users. Browser vulns rarely compromise that many computers.
> One of the most famous ones so far was Download.Ject / ADODB.Stream, and
> that really did not compromise very many people. So you have some bugs
> that
> cause too much media sensation, and others that don't cause enough. The
> media is fickle and are not security experts. It's not a Microsoft /
> media conspiracy.
>
> Microsoft patches take usually a few hours to a day to code and at least
> 45
> days to test and release. That's just the way it works. The world
> [including you] has asked that MS patches be made more reliable, so the
> world is going to have to wait.


I do not see warning people about a seriously critical security hole as
being trivial. Tell that to the people that lose their credit card info (or
whatever)....I am sure they would love to hear you explaination about how
"trivial" it is...

However, it is strange that Firefox gets press for a trivial IDN security
issue and IE gets none for a browser remote code execution security issue.
Don't you think that is a little strange?

It has been how long now 2 weeks and not a peep on any of the popular web
sites....Yet the media loves to sensationalize things...still not a peep...

Sorry but I think their is a little political (marketing) pressure here....

Imhotep
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: Windump 7 zero day exploit out! WoW! Thats FAST! chuckcar Computer Support 3 11-14-2009 05:06 PM
Re: Windump 7 zero day exploit out! WoW! Thats FAST! VanguardLH Computer Support 4 11-14-2009 03:16 PM
Zero day exploit shatters windopz desktop products 7 Computer Support 7 11-08-2006 09:09 PM
ANTI-VIRUS May Prove Insufficient in Battling Zero-Day WMF Exploit Au79 Computer Support 0 01-07-2006 01:04 AM
Zero-day IE exploit... Imhotep Computer Security 21 11-28-2005 06:17 AM



Advertisments