Microsoft Internet Explorer Malformed HTML Parsing Denial of Service Vulnerability

Discussion in 'Computer Security' started by Imhotep, May 27, 2006.

  1. Imhotep

    Imhotep Guest

    "Microsoft Internet Explorer is affected by a denial-of-service
    vulnerability. This issue arises because the application fails to handle
    exceptional conditions in a proper manner.

    An attacker may exploit this issue by enticing a user to visit a malicious
    site, resulting in a denial-of-service condition in the application.

    This issue results in a NULL-pointer dereference, causing the application to
    crash. If attackers can manipulate the pointer being dereferenced, code
    execution may be possible. Note that this has not been confirmed.

    Since exploiting this issue requires only standard HTML, it may not be
    easily mitigated.

    Internet Explorer 6 is vulnerable to this issue; other versions may also be
    affected."

    http://www.securityfocus.com/bid/18112

    Imhotep
    Imhotep, May 27, 2006
    #1
    1. Advertising

  2. "Imhotep" <> wrote in message
    news:p...

    > Since exploiting this issue requires only standard HTML, it may not be
    > easily mitigated.


    Just restart IE. Worst case scenario, you just reboot.
    Karl Levinson, May 27, 2006
    #2
    1. Advertising

  3. Imhotep

    Imhotep Guest

    Karl Levinson wrote:

    >
    > "Imhotep" <> wrote in message
    > news:p...
    >
    >> Since exploiting this issue requires only standard HTML, it may not be
    >> easily mitigated.

    >
    > Just restart IE. Worst case scenario, you just reboot.



    ....best way to midagate a Denial of Service code flaw is to fix the code
    that allows it! Not reboot, over and over and over again! Enough with
    "Microsoft catch all solution to problems"...this too was invented by
    Microsoft...

    Imhotep
    Imhotep, May 27, 2006
    #3

  4. >> "Imhotep" <> wrote in message
    >> news:p...


    >> Just restart IE. Worst case scenario, you just reboot.

    >
    >
    > ...best way to midagate a Denial of Service code flaw is to fix the code
    > that allows it! Not reboot, over and over and over again! Enough with
    > "Microsoft catch all solution to problems"...this too was invented by
    > Microsoft...


    Actually, the author of the mangleme malformed HTML fuzzer tool found that
    IE 6 coded in 2000 was far far better coded to be far more resistant to this
    kind of attack than every other browser out there bar none, including
    Firefox coded in 2004. While IE 6 has had some serious security problems in
    the past, locking up or executing arbitrary code due to malformed HTML is
    not generally one of those problem areas.

    Having said that, every browser on the planet is vulnerable to denial of
    service and lockups requiring some sort of restart from properly formed HTML
    trickery. And every OS on the planet requires restarting a service, process
    or application of some sort to fix various problems, although some of the
    newer ones allow restarting various components without a total reboot better
    than current Windows does.
    Karl Levinson, May 30, 2006
    #4
  5. Re: Microsoft Internet Explorer Malformed HTML Parsing Denial ofService Vulnerability

    Karl Levinson wrote:

    >>> Just restart IE. Worst case scenario, you just reboot.

    >>
    >> ...best way to midagate a Denial of Service code flaw is to fix the code
    >> that allows it! Not reboot, over and over and over again! Enough with
    >> "Microsoft catch all solution to problems"...this too was invented by
    >> Microsoft...

    >
    > Actually, the author of the mangleme malformed HTML fuzzer tool found that
    > IE 6 coded in 2000 was far far better coded to be far more resistant to this
    > kind of attack than every other browser out there bar none, including
    > Firefox coded in 2004.


    And later refined this statement when he found some more DoS problems in
    IE and once more when he implemented CSS content as well, making IE the
    worst of all browsers.

    > While IE 6 has had some serious security problems in
    > the past, locking up or executing arbitrary code due to malformed HTML is
    > not generally one of those problem areas.


    Have you been sleeping the last months? Did you even take a look at
    unpatched vulnerabilities? Certainly code execution through malformed
    HTML is one of MSIE's biggest problems.

    > Having said that, every browser on the planet is vulnerable to denial of
    > service and lockups requiring some sort of restart from properly formed HTML
    > trickery.


    Huh? So you suggest you've found a general DoS condition that applies to
    currently fully fixed webbrowsers? Details please. I only know about
    HTTP 1.1 Deflate encoding decompression bombs, and whereas Windows'
    preference of IE takes down the entire system with endless swapping, any
    real webbrowsers just swaps a lot and then recovers to normal operation,
    can also be killed to stop the swapping right-out.

    > And every OS on the planet requires restarting a service, process
    > or application of some sort to fix various problems, although some of the
    > newer ones allow restarting various components without a total reboot better
    > than current Windows does.


    Fine, but what if you can't create the problems by malicious intent?

    BTW, the microsoft.public.internetexplorer.security is a joke, isn't it?
    Sebastian Gottschalk, May 30, 2006
    #5
  6. Imhotep

    Imhotep Guest

    Karl Levinson wrote:

    >
    >>> "Imhotep" <> wrote in message
    >>> news:p...

    >
    >>> Just restart IE. Worst case scenario, you just reboot.

    >>
    >>
    >> ...best way to midagate a Denial of Service code flaw is to fix the code
    >> that allows it! Not reboot, over and over and over again! Enough with
    >> "Microsoft catch all solution to problems"...this too was invented by
    >> Microsoft...

    >
    > Actually, the author of the mangleme malformed HTML fuzzer tool found that
    > IE 6 coded in 2000 was far far better coded to be far more resistant to
    > this kind of attack than every other browser out there bar none, including
    > Firefox coded in 2004. While IE 6 has had some serious security problems
    > in the past, locking up or executing arbitrary code due to malformed HTML
    > is not generally one of those problem areas.


    First this thread has nothing to do with IE or Firefox? What exactly is your
    point here? Second, maybe, just maybe, IE was secure in regards to
    maleformed HTML but it has a horrible track record every where else, BAR
    NONE.

    > Having said that, every browser on the planet is vulnerable to denial of
    > service and lockups requiring some sort of restart from properly formed
    > HTML
    > trickery. And every OS on the planet requires restarting a service,
    > process or application of some sort to fix various problems, although some
    > of the newer ones allow restarting various components without a total
    > reboot better than current Windows does.



    Restart "X" has become the catch all solution to Windows problem solving and
    yes, it was "invented by Windows" as this behavior was not tolerated prior.
    Second, replying to someone saying:

    "Just restart IE. Worst case scenario, you just reboot."

    is just downright pathetic. How about a new concept? How about they fix the
    code? Remember not 6 months ago there was yet another vulnerability in IE
    that was listed as low critical "just a DOS" vulnerability? Turned out that
    vulnerability turned into a buffer overflow (and required a
    reclassification as Highly critical). Haven't you guys learned anything?
    How about demanding software quality and timely patches? How many time do
    you guys have to relive the same problems before something clicks?

    Imhotep
    Imhotep, May 30, 2006
    #6
  7. Re: Microsoft Internet Explorer Malformed HTML Parsing Denial ofService Vulnerability

    Imhotep wrote:

    > Restart "X" has become the catch all solution to Windows problem
    > solving and yes, it was "invented by Windows" as this behavior was
    > not tolerated prior. Second, replying to someone saying:


    Eh, no. Even on Unix they concluded "yes, we could carefully
    deinitialize and restart this specific services with dependencies, but
    it would be too complicated to implement, so we better restart the whole
    system."

    For Windows, it's just that there are more scenarios requiring a reboot.

    > "Just restart IE. Worst case scenario, you just reboot."
    >
    > is just downright pathetic. How about a new concept? How about they
    > fix the code? Remember not 6 months ago there was yet another
    > vulnerability in IE that was listed as low critical "just a DOS"
    > vulnerability?


    I'm remembering a similar case that is still unfixed since October 2002.

    > Turned out that vulnerability turned into a buffer overflow (and
    > required a reclassification as Highly critical).


    The subtype was a boundary error (i.e. a buffer overflow due to an array
    being filled by multiple threads without properly synchronizing the
    index counter) which, if not exact conditions are held, typically only
    results in a null pointer dereference. As Microsoft requires to exactly
    reproduce the problem, they're too stupid to understand where the real
    problem is.

    > How about demanding software quality and timely patches?


    Dunno, but from what Guninski and Lie Di Yu concluded about some serious
    design bugs IE was never designed/intended to be used in a untrusted
    network (like the internet).

    > How many time do you guys have to relive the same problems before
    > something clicks?


    Until it's explicitly written into a (online) manual about IE? I guess
    not even then.
    Sebastian Gottschalk, May 30, 2006
    #7
  8. "Imhotep" <> wrote in message
    news:...

    > First this thread has nothing to do with IE or Firefox?


    You started this thread, so you know it's about IE, including the subject
    line.

    > "Just restart IE. Worst case scenario, you just reboot."
    >
    > is just downright pathetic.


    For a browser lock up, I find it quite acceptable, as would most people.

    > How about a new concept? How about they fix the
    > code?


    Who said they aren't? I'm certain they are. Now, if you feel it's not fast
    enough for you, then you should probably switch to Linux and leave us in
    peace. Why are you still using Windows again?

    > Remember not 6 months ago there was yet another vulnerability in IE
    > that was listed as low critical "just a DOS" vulnerability? Turned out
    > that
    > vulnerability turned into a buffer overflow (and required a
    > reclassification as Highly critical).


    That's pretty common when it comes to vulns and is not specific to
    Microsoft. First a DoS is found, then a code execution is found.

    > Haven't you guys learned anything?
    > How about demanding software quality and timely patches?


    Who said I don't? You clearly know nothing of my relationship with
    Microsoft, but you're happy to assume I'm a Microsoft cheerleader on every
    subject, despite my having provided proof to the contrary to you repeatedly
    in the past. You're only happy if I tell you, "you're right on everything
    you say."
    Karl Levinson, May 31, 2006
    #8
  9. Imhotep

    Imhotep Guest

    Sebastian Gottschalk wrote:

    > Imhotep wrote:
    >
    >> Restart "X" has become the catch all solution to Windows problem
    >> solving and yes, it was "invented by Windows" as this behavior was
    >> not tolerated prior. Second, replying to someone saying:

    >
    > Eh, no. Even on Unix they concluded "yes, we could carefully
    > deinitialize and restart this specific services with dependencies, but
    > it would be too complicated to implement, so we better restart the whole
    > system."


    I stop/start/restart services every day as we are a UNIX shop. I almost
    NEVER have to reboot (except when upgrading the OS)...


    > For Windows, it's just that there are more scenarios requiring a reboot.



    Just about everything require a reboot in windows...

    >> "Just restart IE. Worst case scenario, you just reboot."
    >>
    >> is just downright pathetic. How about a new concept? How about they
    >> fix the code? Remember not 6 months ago there was yet another
    >> vulnerability in IE that was listed as low critical "just a DOS"
    >> vulnerability?

    >
    > I'm remembering a similar case that is still unfixed since October 2002.
    >
    >> Turned out that vulnerability turned into a buffer overflow (and
    >> required a reclassification as Highly critical).

    >
    > The subtype was a boundary error (i.e. a buffer overflow due to an array
    > being filled by multiple threads without properly synchronizing the
    > index counter) which, if not exact conditions are held, typically only
    > results in a null pointer dereference. As Microsoft requires to exactly
    > reproduce the problem, they're too stupid to understand where the real
    > problem is.


    That is very typical....

    >> How about demanding software quality and timely patches?

    >
    > Dunno, but from what Guninski and Lie Di Yu concluded about some serious
    > design bugs IE was never designed/intended to be used in a untrusted
    > network (like the internet).


    I believe it.

    >> How many time do you guys have to relive the same problems before
    >> something clicks?

    >
    > Until it's explicitly written into a (online) manual about IE? I guess
    > not even then.


    hahahaha...
    Imhotep, May 31, 2006
    #9
  10. Imhotep

    Imhotep Guest

    Karl Levinson wrote:

    >
    > "Imhotep" <> wrote in message
    > news:...
    >
    >> First this thread has nothing to do with IE or Firefox?

    >
    > You started this thread, so you know it's about IE, including the subject
    > line.


    type-o: replace "IE or Firefox" with "IE *vs* Firefox"...

    And again my statement stands. This thread is NOT about IE vs Firefox vs
    whatever so stop the feeble attempt to make it that...

    >> "Just restart IE. Worst case scenario, you just reboot."
    >>
    >> is just downright pathetic.

    >
    > For a browser lock up, I find it quite acceptable, as would most people.


    As opposed to fixing the code? Are you really making that statement?

    >> How about a new concept? How about they fix the
    >> code?

    >
    > Who said they aren't? I'm certain they are. Now, if you feel it's not
    > fast enough for you, then you should probably switch to Linux and leave us
    > in
    > peace. Why are you still using Windows again?


    Windows patch times are pathetic...These are security holes here and as such
    patch times should be on the order of days, not weeks, months and even some
    cases years...

    >> Remember not 6 months ago there was yet another vulnerability in IE
    >> that was listed as low critical "just a DOS" vulnerability? Turned out
    >> that
    >> vulnerability turned into a buffer overflow (and required a
    >> reclassification as Highly critical).

    >
    > That's pretty common when it comes to vulns and is not specific to
    > Microsoft. First a DoS is found, then a code execution is found.


    This should not be *common*. Second, my point *is* that this kind of
    attitude of "don't worry just reboot" is pathetic and leads to more
    security vulnerabilities (as in the example I gave above). If the security
    hole is fixed while it is "just a DOS" then the "code execution" would
    never be able to happen now would it....

    >> Haven't you guys learned anything?
    >> How about demanding software quality and timely patches?

    >
    > Who said I don't? You clearly know nothing of my relationship with
    > Microsoft, but you're happy to assume I'm a Microsoft cheerleader on every
    > subject, despite my having provided proof to the contrary to you
    > repeatedly
    > in the past. You're only happy if I tell you, "you're right on everything
    > you say."


    Did you miss your nightly medication? I said nothing of your relation
    Microsoft nor do I care if you have one or not...

    However, comments like "don't worry just reboot" are irresponsible...

    -- Imhotep
    Imhotep, May 31, 2006
    #10
  11. Re: Microsoft Internet Explorer Malformed HTML Parsing Denial ofService Vulnerability

    Imhotep wrote:

    >> Eh, no. Even on Unix they concluded "yes, we could carefully
    >> deinitialize and restart this specific services with dependencies, but
    >> it would be too complicated to implement, so we better restart the whole
    >> system."

    >
    > I stop/start/restart services every day as we are a UNIX shop. I almost
    > NEVER have to reboot (except when upgrading the OS)...


    I meant kernel services from a system view, not these services services.
    When chancing some not dynamically loaded kernel components, you'll have
    to reboot.

    >> For Windows, it's just that there are more scenarios requiring a reboot.

    >
    > Just about everything require a reboot in windows...


    Only it you don't know what to do. Some people reboot for unlocking open
    files, some other people just enter the admin password, aquire debug
    privilege and invalidate the file handle using Unlocker or Process
    Explorer (of course, there's no default tool who has such an ability).

    I remember my last reboot was... ehm... eh... sorry, simply can't
    remember such a long time. Must have been somewhere around the initial
    setup about a year ago (when the previous harddisk died).

    > That is very typical....


    This is very typical for every programmer who doesn't have a
    sufficiently deep clue. The real problem is that Microsoft shouldn't let
    such underqualified people handle important security stuff, and I know
    that they do have qualified programmers.

    >>> How about demanding software quality and timely patches?

    >> Dunno, but from what Guninski and Lie Di Yu concluded about some serious
    >> design bugs IE was never designed/intended to be used in a untrusted
    >> network (like the internet).

    >
    > I believe it.


    I don't. There are some other smaller design errors which could be fixed
    without revamping the entire code, and a lot of errors are really just
    random programming errors.

    So far only the cross-domain policy and the entire concept of ActiveX
    are definitely broken. The rest is just lousy.

    Well, there's a difference between intent and suitability. :)

    >>> How many time do you guys have to relive the same problems before
    >>> something clicks?

    >> Until it's explicitly written into a (online) manual about IE? I guess
    >> not even then.

    >
    > hahahaha...


    Don't wonder, in Microsoft online documentation you'll find explicit
    warning about the unencrypted nature of using telnet, rcp, rsh and rexec
    with recommendations for SSH, SCP and SFTP. You'll find warnings that LM
    hashes are bad, bad, bad. You'll even find some press paper admitting
    that Win98's multi-monitor support was beta quality.
    Sebastian Gottschalk, May 31, 2006
    #11
  12. Imhotep

    Imhotep Guest

    Sebastian Gottschalk wrote:

    > Imhotep wrote:
    >
    >>> Eh, no. Even on Unix they concluded "yes, we could carefully
    >>> deinitialize and restart this specific services with dependencies, but
    >>> it would be too complicated to implement, so we better restart the whole
    >>> system."

    >>
    >> I stop/start/restart services every day as we are a UNIX shop. I almost
    >> NEVER have to reboot (except when upgrading the OS)...

    >
    > I meant kernel services from a system view, not these services services.
    > When chancing some not dynamically loaded kernel components, you'll have
    > to reboot.


    The only time you have to reboot UNIX is upgraded/altering the kernel,
    generally speaking. Even kernel modules can be loaded/unloaded while the
    system is up and running perfectly fine. Frankly, this is acceptable since
    you very rarely upgrade your kernel. Everything else does not require
    rebooting...

    >>> For Windows, it's just that there are more scenarios requiring a reboot.

    >>
    >> Just about everything require a reboot in windows...

    >
    > Only it you don't know what to do. Some people reboot for unlocking open
    > files, some other people just enter the admin password, aquire debug
    > privilege and invalidate the file handle using Unlocker or Process
    > Explorer (of course, there's no default tool who has such an ability).


    I am talking about the foolish requirement when you install software. Why is
    it the majority of the time if I install software (applications) I have to
    reboot. This is the foolishness to which I speak...

    > I remember my last reboot was... ehm... eh... sorry, simply can't
    > remember such a long time. Must have been somewhere around the initial
    > setup about a year ago (when the previous harddisk died).


    I guess you did not patch that Windows box of yours!

    I have some linux boxes that have been running for years. Literally 3+
    years...(even patched them without rebooting, no kernel patches that is)

    >> That is very typical....

    >
    > This is very typical for every programmer who doesn't have a
    > sufficiently deep clue. The real problem is that Microsoft shouldn't let
    > such underqualified people handle important security stuff, and I know
    > that they do have qualified programmers.


    Every company has qualified people. Microsoft's problem is that they care
    more about marketing than quality...that is their problem. Case and point
    is vista. They had an opportunity to finally force vendors to make software
    that does not require users to be in the local admin group (bad security).
    Now, I know form experience that you can get most MS software to run by
    altering permission/groups/or runas but this is not out-of-the-box
    behavior. Instead of doing this (telling software vendors to make software
    that is installed as a local admin but run by regular users) they said we
    will us the UAC and just bombard users with permission questions. This is
    just plain foolish. How many users will just answer "yes" to everything
    thus making the "security" behind the idea moot?

    >>>> How about demanding software quality and timely patches?
    >>> Dunno, but from what Guninski and Lie Di Yu concluded about some serious
    >>> design bugs IE was never designed/intended to be used in a untrusted
    >>> network (like the internet).

    >>
    >> I believe it.

    >
    > I don't. There are some other smaller design errors which could be fixed
    > without revamping the entire code, and a lot of errors are really just
    > random programming errors.


    Some probably are small design errors and some probably are deep structural
    and thus are difficult to fix.

    > So far only the cross-domain policy and the entire concept of ActiveX
    > are definitely broken. The rest is just lousy.


    Cross domain was always a bad joke. Active-x was just Microsoft's way to
    have a java-like application. Most companies don;t even allow active-x
    through their firewalls for good reason.

    > Well, there's a difference between intent and suitability. :)
    >
    >>>> How many time do you guys have to relive the same problems before
    >>>> something clicks?
    >>> Until it's explicitly written into a (online) manual about IE? I guess
    >>> not even then.

    >>
    >> hahahaha...

    >
    > Don't wonder, in Microsoft online documentation you'll find explicit
    > warning about the unencrypted nature of using telnet, rcp, rsh and rexec
    > with recommendations for SSH, SCP and SFTP. You'll find warnings that LM
    > hashes are bad, bad, bad. You'll even find some press paper admitting
    > that Win98's multi-monitor support was beta quality.


    It is not rocket science...

    Imhotep
    Imhotep, May 31, 2006
    #12
  13. Re: Microsoft Internet Explorer Malformed HTML Parsing Denial ofService Vulnerability

    Imhotep wrote:

    > I am talking about the foolish requirement when you install software.
    > Why is it the majority of the time if I install software
    > (applications) I have to reboot. This is the foolishness to which I
    > speak...


    Yeah, I sometimes see software asking for reboots. Well, why should I
    follow their outdated advices?

    >> I remember my last reboot was... ehm... eh... sorry, simply can't
    >> remember such a long time. Must have been somewhere around the
    >> initial setup about a year ago (when the previous harddisk died).

    >
    > I guess you did not patch that Windows box of yours!


    I did.

    > I have some linux boxes that have been running for years. Literally
    > 3+ years...(even patched them without rebooting, no kernel patches
    > that is)


    My Win2K box has been running for five years until the hardware died.

    > Every company has qualified people. Microsoft's problem is that they
    > care more about marketing than quality...that is their problem.


    Hm... one could say it's the company motto: "writing software to make money"

    Why do you think they crippled outbound connections with raw sockets on
    WinXP SP2? Just to fulfill the foolish cries of foolish GRC worshippers.
    Better image = more people keep on using Windows, more are gonna buy the
    next version

    > they said we will us the UAC and just bombard users with permission
    > questions. This is just plain foolish. How many users will just
    > answer "yes" to everything thus making the "security" behind the idea
    > moot?


    Even worse, UAC doesn't work at all. The user is still an admin, just
    every program is started with user rights - if the user actually was an
    use, he couldn't give the programs additional rights. But now some parts
    of the GUI and lots of services and drivers are still running with admin
    rights, opening windows and receiving IPC messages across the UAC
    boundary - a malicious program can break out of the isolation.

    Dunno, but Vista will be crap anyway due to a trojan horse being
    integrated into the kernel.

    >> So far only the cross-domain policy and the entire concept of
    >> ActiveX are definitely broken. The rest is just lousy.

    >
    > Cross domain was always a bad joke.


    Yes, but now we know that it's fundamentally broken.

    > Active-x was just Microsoft's way to have a java-like application.


    Java at least has a chance to become secure, and Sun really does a good job.

    > It is not rocket science...


    It is marketing. May I say: IE is fine, just don't call it a webbrowser.
    It's a wonderful ActiveX client platform for the intranet.
    Sebastian Gottschalk, May 31, 2006
    #13
  14. "Imhotep" <> wrote in message
    news:...

    > This should not be *common*. Second, my point *is* that this kind of
    > attitude of "don't worry just reboot" is pathetic and leads to more
    > security vulnerabilities (as in the example I gave above). If the security
    > hole is fixed while it is "just a DOS" then the "code execution" would
    > never be able to happen now would it....

    nor do I care if you have one or not...
    >
    > However, comments like "don't worry just reboot" are irresponsible...


    Only Chicken Little runs around panicking about every issue out there.
    Until shown otherwise, most people agree that a browser lockup like this is
    an extremely minor issue. You and I know there are far more significant
    security issues out there affecting Microsoft products, and I'm going to
    focus my time and attention there. Encouraging others to do the same is
    responsible, not irresponsible.
    Karl Levinson, May 31, 2006
    #14
  15. Re: Microsoft Internet Explorer Malformed HTML Parsing Denial ofService Vulnerability

    Karl Levinson wrote:

    >> However, comments like "don't worry just reboot" are irresponsible...

    >
    > Only Chicken Little runs around panicking about every issue out there.
    > Until shown otherwise, most people agree that a browser lockup like this is
    > an extremely minor issue.


    Yeah, because dumb people are already used to such issues.
    However, for serious people is is unacceptable, because they usually
    don't face such issues.

    > You and I know there are far more significant
    > security issues out there affecting Microsoft products, and I'm going to
    > focus my time and attention there.


    There are non in IE.
    Well, except if you're misusing IE as a webbrowser, and then the issues
    are inherent (just like using telnet for remote access).

    BTW, would you please stop cross-posting without setting a Followup-To?
    Sebastian Gottschalk, May 31, 2006
    #15
  16. Imhotep

    Imhotep Guest

    Karl Levinson wrote:

    >
    > "Imhotep" <> wrote in message
    > news:...
    >
    >> This should not be *common*. Second, my point *is* that this kind of
    >> attitude of "don't worry just reboot" is pathetic and leads to more
    >> security vulnerabilities (as in the example I gave above). If the
    >> security hole is fixed while it is "just a DOS" then the "code execution"
    >> would never be able to happen now would it....

    > nor do I care if you have one or not...
    >>
    >> However, comments like "don't worry just reboot" are irresponsible...

    >
    > Only Chicken Little runs around panicking about every issue out there.
    > Until shown otherwise, most people agree that a browser lockup like this
    > is
    > an extremely minor issue. You and I know there are far more significant
    > security issues out there affecting Microsoft products, and I'm going to
    > focus my time and attention there. Encouraging others to do the same is
    > responsible, not irresponsible.



    hummm...one is reminded of a security vulnerability in IE not more than 8
    months ago that was just "a DOS" yet turned into a full blown critical
    security hole which code could be run from just visiting a web site. Now,
    you think security "professionals" would take a more serious look at "just
    a DOS". Most do, but, I guess there still are some that must learn the hard
    way, yet, again....

    So, call me whatever you want. I much rather be called "Chicken Little" than
    a fake security professional anyday...

    --- Imhotep
    Imhotep, Jun 3, 2006
    #16
  17. Imhotep

    Imhotep Guest

    Sebastian Gottschalk wrote:

    > Imhotep wrote:
    >
    >> I am talking about the foolish requirement when you install software.
    >> Why is it the majority of the time if I install software
    >> (applications) I have to reboot. This is the foolishness to which I
    >> speak...

    >
    > Yeah, I sometimes see software asking for reboots. Well, why should I
    > follow their outdated advices?
    >
    >>> I remember my last reboot was... ehm... eh... sorry, simply can't
    >>> remember such a long time. Must have been somewhere around the
    >>> initial setup about a year ago (when the previous harddisk died).

    >>
    >> I guess you did not patch that Windows box of yours!

    >
    > I did.
    >
    >> I have some linux boxes that have been running for years. Literally
    >> 3+ years...(even patched them without rebooting, no kernel patches
    >> that is)

    >
    > My Win2K box has been running for five years until the hardware died.
    >
    >> Every company has qualified people. Microsoft's problem is that they
    >> care more about marketing than quality...that is their problem.

    >
    > Hm... one could say it's the company motto: "writing software to make
    > money"
    >
    > Why do you think they crippled outbound connections with raw sockets on
    > WinXP SP2? Just to fulfill the foolish cries of foolish GRC worshippers.
    > Better image = more people keep on using Windows, more are gonna buy the
    > next version
    >
    >> they said we will us the UAC and just bombard users with permission
    >> questions. This is just plain foolish. How many users will just
    >> answer "yes" to everything thus making the "security" behind the idea
    >> moot?

    >
    > Even worse, UAC doesn't work at all. The user is still an admin, just
    > every program is started with user rights - if the user actually was an
    > use, he couldn't give the programs additional rights. But now some parts
    > of the GUI and lots of services and drivers are still running with admin
    > rights, opening windows and receiving IPC messages across the UAC
    > boundary - a malicious program can break out of the isolation.
    >
    > Dunno, but Vista will be crap anyway due to a trojan horse being
    > integrated into the kernel.
    >
    >>> So far only the cross-domain policy and the entire concept of
    >>> ActiveX are definitely broken. The rest is just lousy.

    >>
    >> Cross domain was always a bad joke.

    >
    > Yes, but now we know that it's fundamentally broken.
    >
    >> Active-x was just Microsoft's way to have a java-like application.

    >
    > Java at least has a chance to become secure, and Sun really does a good
    > job.
    >
    >> It is not rocket science...

    >
    > It is marketing. May I say: IE is fine, just don't call it a webbrowser.
    > It's a wonderful ActiveX client platform for the intranet.



    Again, nicely said.....


    Imhotep
    Imhotep, Jun 3, 2006
    #17
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. imhotep
    Replies:
    6
    Views:
    550
    imhotep
    Jun 7, 2006
  2. imhotep
    Replies:
    0
    Views:
    429
    imhotep
    Jun 9, 2006
  3. imhotep
    Replies:
    0
    Views:
    492
    imhotep
    Jun 23, 2006
  4. imhotep
    Replies:
    2
    Views:
    964
    Founder
    Jul 6, 2006
  5. Au79
    Replies:
    0
    Views:
    397
Loading...

Share This Page