Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Microsoft Internet Explorer Malformed HTML Parsing Denial of Service Vulnerability

Reply
Thread Tools

Microsoft Internet Explorer Malformed HTML Parsing Denial of Service Vulnerability

 
 
Sebastian Gottschalk
Guest
Posts: n/a
 
      05-31-2006
Imhotep wrote:

>> Eh, no. Even on Unix they concluded "yes, we could carefully
>> deinitialize and restart this specific services with dependencies, but
>> it would be too complicated to implement, so we better restart the whole
>> system."

>
> I stop/start/restart services every day as we are a UNIX shop. I almost
> NEVER have to reboot (except when upgrading the OS)...


I meant kernel services from a system view, not these services services.
When chancing some not dynamically loaded kernel components, you'll have
to reboot.

>> For Windows, it's just that there are more scenarios requiring a reboot.

>
> Just about everything require a reboot in windows...


Only it you don't know what to do. Some people reboot for unlocking open
files, some other people just enter the admin password, aquire debug
privilege and invalidate the file handle using Unlocker or Process
Explorer (of course, there's no default tool who has such an ability).

I remember my last reboot was... ehm... eh... sorry, simply can't
remember such a long time. Must have been somewhere around the initial
setup about a year ago (when the previous harddisk died).

> That is very typical....


This is very typical for every programmer who doesn't have a
sufficiently deep clue. The real problem is that Microsoft shouldn't let
such underqualified people handle important security stuff, and I know
that they do have qualified programmers.

>>> How about demanding software quality and timely patches?

>> Dunno, but from what Guninski and Lie Di Yu concluded about some serious
>> design bugs IE was never designed/intended to be used in a untrusted
>> network (like the internet).

>
> I believe it.


I don't. There are some other smaller design errors which could be fixed
without revamping the entire code, and a lot of errors are really just
random programming errors.

So far only the cross-domain policy and the entire concept of ActiveX
are definitely broken. The rest is just lousy.

Well, there's a difference between intent and suitability.

>>> How many time do you guys have to relive the same problems before
>>> something clicks?

>> Until it's explicitly written into a (online) manual about IE? I guess
>> not even then.

>
> hahahaha...


Don't wonder, in Microsoft online documentation you'll find explicit
warning about the unencrypted nature of using telnet, rcp, rsh and rexec
with recommendations for SSH, SCP and SFTP. You'll find warnings that LM
hashes are bad, bad, bad. You'll even find some press paper admitting
that Win98's multi-monitor support was beta quality.
 
Reply With Quote
 
 
 
 
Imhotep
Guest
Posts: n/a
 
      05-31-2006
Sebastian Gottschalk wrote:

> Imhotep wrote:
>
>>> Eh, no. Even on Unix they concluded "yes, we could carefully
>>> deinitialize and restart this specific services with dependencies, but
>>> it would be too complicated to implement, so we better restart the whole
>>> system."

>>
>> I stop/start/restart services every day as we are a UNIX shop. I almost
>> NEVER have to reboot (except when upgrading the OS)...

>
> I meant kernel services from a system view, not these services services.
> When chancing some not dynamically loaded kernel components, you'll have
> to reboot.


The only time you have to reboot UNIX is upgraded/altering the kernel,
generally speaking. Even kernel modules can be loaded/unloaded while the
system is up and running perfectly fine. Frankly, this is acceptable since
you very rarely upgrade your kernel. Everything else does not require
rebooting...

>>> For Windows, it's just that there are more scenarios requiring a reboot.

>>
>> Just about everything require a reboot in windows...

>
> Only it you don't know what to do. Some people reboot for unlocking open
> files, some other people just enter the admin password, aquire debug
> privilege and invalidate the file handle using Unlocker or Process
> Explorer (of course, there's no default tool who has such an ability).


I am talking about the foolish requirement when you install software. Why is
it the majority of the time if I install software (applications) I have to
reboot. This is the foolishness to which I speak...

> I remember my last reboot was... ehm... eh... sorry, simply can't
> remember such a long time. Must have been somewhere around the initial
> setup about a year ago (when the previous harddisk died).


I guess you did not patch that Windows box of yours!

I have some linux boxes that have been running for years. Literally 3+
years...(even patched them without rebooting, no kernel patches that is)

>> That is very typical....

>
> This is very typical for every programmer who doesn't have a
> sufficiently deep clue. The real problem is that Microsoft shouldn't let
> such underqualified people handle important security stuff, and I know
> that they do have qualified programmers.


Every company has qualified people. Microsoft's problem is that they care
more about marketing than quality...that is their problem. Case and point
is vista. They had an opportunity to finally force vendors to make software
that does not require users to be in the local admin group (bad security).
Now, I know form experience that you can get most MS software to run by
altering permission/groups/or runas but this is not out-of-the-box
behavior. Instead of doing this (telling software vendors to make software
that is installed as a local admin but run by regular users) they said we
will us the UAC and just bombard users with permission questions. This is
just plain foolish. How many users will just answer "yes" to everything
thus making the "security" behind the idea moot?

>>>> How about demanding software quality and timely patches?
>>> Dunno, but from what Guninski and Lie Di Yu concluded about some serious
>>> design bugs IE was never designed/intended to be used in a untrusted
>>> network (like the internet).

>>
>> I believe it.

>
> I don't. There are some other smaller design errors which could be fixed
> without revamping the entire code, and a lot of errors are really just
> random programming errors.


Some probably are small design errors and some probably are deep structural
and thus are difficult to fix.

> So far only the cross-domain policy and the entire concept of ActiveX
> are definitely broken. The rest is just lousy.


Cross domain was always a bad joke. Active-x was just Microsoft's way to
have a java-like application. Most companies don;t even allow active-x
through their firewalls for good reason.

> Well, there's a difference between intent and suitability.
>
>>>> How many time do you guys have to relive the same problems before
>>>> something clicks?
>>> Until it's explicitly written into a (online) manual about IE? I guess
>>> not even then.

>>
>> hahahaha...

>
> Don't wonder, in Microsoft online documentation you'll find explicit
> warning about the unencrypted nature of using telnet, rcp, rsh and rexec
> with recommendations for SSH, SCP and SFTP. You'll find warnings that LM
> hashes are bad, bad, bad. You'll even find some press paper admitting
> that Win98's multi-monitor support was beta quality.


It is not rocket science...

Imhotep
 
Reply With Quote
 
 
 
 
Sebastian Gottschalk
Guest
Posts: n/a
 
      05-31-2006
Imhotep wrote:

> I am talking about the foolish requirement when you install software.
> Why is it the majority of the time if I install software
> (applications) I have to reboot. This is the foolishness to which I
> speak...


Yeah, I sometimes see software asking for reboots. Well, why should I
follow their outdated advices?

>> I remember my last reboot was... ehm... eh... sorry, simply can't
>> remember such a long time. Must have been somewhere around the
>> initial setup about a year ago (when the previous harddisk died).

>
> I guess you did not patch that Windows box of yours!


I did.

> I have some linux boxes that have been running for years. Literally
> 3+ years...(even patched them without rebooting, no kernel patches
> that is)


My Win2K box has been running for five years until the hardware died.

> Every company has qualified people. Microsoft's problem is that they
> care more about marketing than quality...that is their problem.


Hm... one could say it's the company motto: "writing software to make money"

Why do you think they crippled outbound connections with raw sockets on
WinXP SP2? Just to fulfill the foolish cries of foolish GRC worshippers.
Better image = more people keep on using Windows, more are gonna buy the
next version

> they said we will us the UAC and just bombard users with permission
> questions. This is just plain foolish. How many users will just
> answer "yes" to everything thus making the "security" behind the idea
> moot?


Even worse, UAC doesn't work at all. The user is still an admin, just
every program is started with user rights - if the user actually was an
use, he couldn't give the programs additional rights. But now some parts
of the GUI and lots of services and drivers are still running with admin
rights, opening windows and receiving IPC messages across the UAC
boundary - a malicious program can break out of the isolation.

Dunno, but Vista will be crap anyway due to a trojan horse being
integrated into the kernel.

>> So far only the cross-domain policy and the entire concept of
>> ActiveX are definitely broken. The rest is just lousy.

>
> Cross domain was always a bad joke.


Yes, but now we know that it's fundamentally broken.

> Active-x was just Microsoft's way to have a java-like application.


Java at least has a chance to become secure, and Sun really does a good job.

> It is not rocket science...


It is marketing. May I say: IE is fine, just don't call it a webbrowser.
It's a wonderful ActiveX client platform for the intranet.
 
Reply With Quote
 
Karl Levinson
Guest
Posts: n/a
 
      05-31-2006

"Imhotep" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ...

> This should not be *common*. Second, my point *is* that this kind of
> attitude of "don't worry just reboot" is pathetic and leads to more
> security vulnerabilities (as in the example I gave above). If the security
> hole is fixed while it is "just a DOS" then the "code execution" would
> never be able to happen now would it....

nor do I care if you have one or not...
>
> However, comments like "don't worry just reboot" are irresponsible...


Only Chicken Little runs around panicking about every issue out there.
Until shown otherwise, most people agree that a browser lockup like this is
an extremely minor issue. You and I know there are far more significant
security issues out there affecting Microsoft products, and I'm going to
focus my time and attention there. Encouraging others to do the same is
responsible, not irresponsible.


 
Reply With Quote
 
Sebastian Gottschalk
Guest
Posts: n/a
 
      05-31-2006
Karl Levinson wrote:

>> However, comments like "don't worry just reboot" are irresponsible...

>
> Only Chicken Little runs around panicking about every issue out there.
> Until shown otherwise, most people agree that a browser lockup like this is
> an extremely minor issue.


Yeah, because dumb people are already used to such issues.
However, for serious people is is unacceptable, because they usually
don't face such issues.

> You and I know there are far more significant
> security issues out there affecting Microsoft products, and I'm going to
> focus my time and attention there.


There are non in IE.
Well, except if you're misusing IE as a webbrowser, and then the issues
are inherent (just like using telnet for remote access).

BTW, would you please stop cross-posting without setting a Followup-To?
 
Reply With Quote
 
Imhotep
Guest
Posts: n/a
 
      06-03-2006
Karl Levinson wrote:

>
> "Imhotep" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) ...
>
>> This should not be *common*. Second, my point *is* that this kind of
>> attitude of "don't worry just reboot" is pathetic and leads to more
>> security vulnerabilities (as in the example I gave above). If the
>> security hole is fixed while it is "just a DOS" then the "code execution"
>> would never be able to happen now would it....

> nor do I care if you have one or not...
>>
>> However, comments like "don't worry just reboot" are irresponsible...

>
> Only Chicken Little runs around panicking about every issue out there.
> Until shown otherwise, most people agree that a browser lockup like this
> is
> an extremely minor issue. You and I know there are far more significant
> security issues out there affecting Microsoft products, and I'm going to
> focus my time and attention there. Encouraging others to do the same is
> responsible, not irresponsible.



hummm...one is reminded of a security vulnerability in IE not more than 8
months ago that was just "a DOS" yet turned into a full blown critical
security hole which code could be run from just visiting a web site. Now,
you think security "professionals" would take a more serious look at "just
a DOS". Most do, but, I guess there still are some that must learn the hard
way, yet, again....

So, call me whatever you want. I much rather be called "Chicken Little" than
a fake security professional anyday...

--- Imhotep
 
Reply With Quote
 
Imhotep
Guest
Posts: n/a
 
      06-03-2006
Sebastian Gottschalk wrote:

> Imhotep wrote:
>
>> I am talking about the foolish requirement when you install software.
>> Why is it the majority of the time if I install software
>> (applications) I have to reboot. This is the foolishness to which I
>> speak...

>
> Yeah, I sometimes see software asking for reboots. Well, why should I
> follow their outdated advices?
>
>>> I remember my last reboot was... ehm... eh... sorry, simply can't
>>> remember such a long time. Must have been somewhere around the
>>> initial setup about a year ago (when the previous harddisk died).

>>
>> I guess you did not patch that Windows box of yours!

>
> I did.
>
>> I have some linux boxes that have been running for years. Literally
>> 3+ years...(even patched them without rebooting, no kernel patches
>> that is)

>
> My Win2K box has been running for five years until the hardware died.
>
>> Every company has qualified people. Microsoft's problem is that they
>> care more about marketing than quality...that is their problem.

>
> Hm... one could say it's the company motto: "writing software to make
> money"
>
> Why do you think they crippled outbound connections with raw sockets on
> WinXP SP2? Just to fulfill the foolish cries of foolish GRC worshippers.
> Better image = more people keep on using Windows, more are gonna buy the
> next version
>
>> they said we will us the UAC and just bombard users with permission
>> questions. This is just plain foolish. How many users will just
>> answer "yes" to everything thus making the "security" behind the idea
>> moot?

>
> Even worse, UAC doesn't work at all. The user is still an admin, just
> every program is started with user rights - if the user actually was an
> use, he couldn't give the programs additional rights. But now some parts
> of the GUI and lots of services and drivers are still running with admin
> rights, opening windows and receiving IPC messages across the UAC
> boundary - a malicious program can break out of the isolation.
>
> Dunno, but Vista will be crap anyway due to a trojan horse being
> integrated into the kernel.
>
>>> So far only the cross-domain policy and the entire concept of
>>> ActiveX are definitely broken. The rest is just lousy.

>>
>> Cross domain was always a bad joke.

>
> Yes, but now we know that it's fundamentally broken.
>
>> Active-x was just Microsoft's way to have a java-like application.

>
> Java at least has a chance to become secure, and Sun really does a good
> job.
>
>> It is not rocket science...

>
> It is marketing. May I say: IE is fine, just don't call it a webbrowser.
> It's a wonderful ActiveX client platform for the intranet.



Again, nicely said.....


Imhotep
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Microsoft Windows Live Messenger Contact List Processing Remote Denial of Service Vulnerability imhotep Computer Security 2 07-06-2006 01:52 AM
Microsoft NetMeeting Remote Memory Corruption Denial of Service Vulnerability imhotep Computer Security 0 06-09-2006 12:47 AM
Microsoft Internet Explorer Frameset Denial of Service Vulnerability imhotep Computer Security 6 06-07-2006 05:31 AM
Microsoft Internet Information Server 5.1 DLL Request Denial of Service Vulnerability Imhotep Computer Security 0 12-21-2005 06:10 AM
Microsoft Internet Explorer Scrollbar-Base-Color Partial Denial Of Service Vulnerability kayodeok HTML 2 10-25-2003 09:20 PM



Advertisments