Patches released for zero-day IE threat...

Discussion in 'Computer Security' started by Imhotep, Mar 29, 2006.

  1. Imhotep

    Imhotep Guest

    UPDATE: Hundreds of malicious Web sites are attempting to exploit the most
    critical of two flaws announced last week in Microsoft's browser,
    convincing two companies to release workarounds late Monday to head off the
    threat.

    http://www.securityfocus.com/news/11384?ref=rss

    Im
    Imhotep, Mar 29, 2006
    #1
    1. Advertising

  2. Imhotep wrote:
    > UPDATE: Hundreds of malicious Web sites are attempting to exploit the most
    > critical of two flaws announced last week


    reads: hundreds of websites are too dumb or lame to implement exploits
    for already existing unpatched criticial security holes

    > in Microsoft's browser,


    better not calling it a webbrowser, as it was never designed to be one.

    > convincing two companies to release workarounds late Monday to head off the
    > threat.


    workaround: disable ActiveScripting

    Should already be implemented, as ActiveScripting is inherently insecure.


    Well, simply said: Tell news. Yet another security hole in MSIE isn't
    use, it's almost tradition.
    Sebastian Gottschalk, Mar 29, 2006
    #2
    1. Advertising

  3. Imhotep

    Gerard Bok Guest

    On Wed, 29 Mar 2006 04:25:20 +0200, Sebastian Gottschalk
    <> wrote:

    >Imhotep wrote:
    >> UPDATE: Hundreds of malicious Web sites are attempting to exploit the most
    >> critical of two flaws announced last week

    >
    >reads: hundreds of websites are too dumb or lame to implement exploits
    >for already existing unpatched criticial security holes
    >
    >> in Microsoft's browser,

    >
    >better not calling it a webbrowser, as it was never designed to be one.
    >


    It is said to be a safe browser by the end of this week :)

    --
    Kind regards,
    Gerard Bok
    Gerard Bok, Mar 29, 2006
    #3
  4. Gerard Bok wrote:

    > On Wed, 29 Mar 2006 04:25:20 +0200, Sebastian Gottschalk <>
    > wrote:
    >
    >>Imhotep wrote:
    >>> UPDATE: Hundreds of malicious Web sites are attempting to exploit the
    >>> most critical of two flaws announced last week

    >>
    >>reads: hundreds of websites are too dumb or lame to implement exploits
    >>for already existing unpatched criticial security holes
    >>
    >>> in Microsoft's browser,

    >>
    >>better not calling it a webbrowser, as it was never designed to be one.
    >>
    >>

    > It is said to be a safe browser by the end of this week :)


    And a total clusterfuk again by Monday. :-(
    Borked Pseudo Mailed, Mar 29, 2006
    #4
  5. Imhotep

    Alun Jones Guest

    In article <>, Imhotep <>
    wrote:
    >UPDATE: Hundreds of malicious Web sites are attempting to exploit the most
    >critical of two flaws announced last week in Microsoft's browser,
    >convincing two companies to release workarounds late Monday to head off the
    >threat.
    >
    >http://www.securityfocus.com/news/11384?ref=rss


    All very well, but unless you know and trust the groups releasing those
    workarounds, you find that you are in this situation:

    Problem: You don't want unknown and untrusted people to run code on your
    machine.
    Solution: You download and run code on your machine from unknown and untrusted
    people.

    Also, you have to wonder - do these companies have the ability to test their
    patches in your language, in your locale, and with your LOB (line-of-business)
    applications? Not likely, so you find you have to do some significant
    testing.

    For most people the risk outweighs the potential benefits, and taking care
    while surfing is the best thing to do.

    Alun.
    ~~~~

    [Please don't email posters, if a Usenet response is appropriate.]
    --
    Texas Imperial Software | Find us at http://www.wftpd.com or email
    23921 57th Ave SE | .
    Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
    Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
    Alun Jones, Mar 29, 2006
    #5
  6. Alun Jones wrote:

    > Problem: You don't want unknown and untrusted people to run code on your
    > machine.


    If you're running IE on the intarweb, you can't be serious about that
    anyway.

    > Also, you have to wonder - do these companies have the ability to test their
    > patches in your language, in your locale, and with your LOB (line-of-business)
    > applications? Not likely, so you find you have to do some significant
    > testing.


    You have to wonder: Why should that matter if Microsoft refuses to patch
    many known vulnerabilities anyway?

    > For most people the risk outweighs the potential benefits, and taking care
    > while surfing is the best thing to do.


    Bullshit. A webbrowser doesn't need to be vulnerable in first place, and
    a good webbrowser will let you not need to care for what website you
    visit. As if you could, as we've already seen exploits spread via ads on
    usually harmless websites.

    > ~~~~


    And please get a serious signature delimiter!
    Sebastian Gottschalk, Mar 29, 2006
    #6
  7. Imhotep

    nemo_outis Guest

    Sebastian Gottschalk <> wrote in
    news::

    > Imhotep wrote:
    >> UPDATE: Hundreds of malicious Web sites are attempting to exploit the
    >> most critical of two flaws announced last week

    >
    > reads: hundreds of websites are too dumb or lame to implement exploits
    > for already existing unpatched criticial security holes
    >
    >> in Microsoft's browser,

    >
    > better not calling it a webbrowser, as it was never designed to be
    > one.
    >
    >> convincing two companies to release workarounds late Monday to head
    >> off the threat.

    >
    > workaround: disable ActiveScripting
    >
    > Should already be implemented, as ActiveScripting is inherently
    > insecure.
    >
    >
    > Well, simply said: Tell news. Yet another security hole in MSIE isn't
    > use, it's almost tradition.
    >




    There is also the following third-party fix:


    http://www.eeye.com/html/research/tools/JScriptPatchSetup.exe

    and a discussion at:

    http://www.eeye.com/html/company/press/PR20060327.html

    Regards,
    nemo_outis, Mar 29, 2006
    #7
  8. Imhotep

    Imhotep Guest

    Alun Jones wrote:

    > In article <>, Imhotep
    > <> wrote:
    >>UPDATE: Hundreds of malicious Web sites are attempting to exploit the most
    >>critical of two flaws announced last week in Microsoft's browser,
    >>convincing two companies to release workarounds late Monday to head off
    >>the threat.
    >>
    >>http://www.securityfocus.com/news/11384?ref=rss

    >
    > All very well, but unless you know and trust the groups releasing those
    > workarounds, you find that you are in this situation:
    >
    > Problem: You don't want unknown and untrusted people to run code on your
    > machine.
    > Solution: You download and run code on your machine from unknown and
    > untrusted people.
    >
    > Also, you have to wonder - do these companies have the ability to test
    > their patches in your language, in your locale, and with your LOB
    > (line-of-business)
    > applications? Not likely, so you find you have to do some significant
    > testing.
    >
    > For most people the risk outweighs the potential benefits, and taking care
    > while surfing is the best thing to do.
    >
    > Alun.
    > ~~~~
    >
    > [Please don't email posters, if a Usenet response is appropriate.]


    Very good points. I guess you have to balance between waiting for an MS fix
    (being vulnerable) or trusting the company. Honestly, with the quality of
    MS patches coming out it is a gamble either way...

    Im
    Imhotep, Mar 30, 2006
    #8
  9. Imhotep

    Imhotep Guest

    Sebastian Gottschalk wrote:

    > Alun Jones wrote:
    >
    >> Problem: You don't want unknown and untrusted people to run code on your
    >> machine.

    >
    > If you're running IE on the intarweb, you can't be serious about that
    > anyway.
    >
    >> Also, you have to wonder - do these companies have the ability to test
    >> their patches in your language, in your locale, and with your LOB
    >> (line-of-business)
    >> applications? Not likely, so you find you have to do some significant
    >> testing.

    >
    > You have to wonder: Why should that matter if Microsoft refuses to patch
    > many known vulnerabilities anyway?
    >
    >> For most people the risk outweighs the potential benefits, and taking
    >> care while surfing is the best thing to do.

    >
    > Bullshit. A webbrowser doesn't need to be vulnerable in first place, and
    > a good webbrowser will let you not need to care for what website you
    > visit. As if you could, as we've already seen exploits spread via ads on
    > usually harmless websites.
    >
    >> ~~~~

    >
    > And please get a serious signature delimiter!



    ...also good points. Many of the problems in IE stems from MS and their
    insistence to produce a web browser that only works well with other MS
    products. In doing this they avoid know protocols and instead try to create
    their own....and still people insist upon using it...who's fault is it
    really?
    Imhotep, Mar 30, 2006
    #9
  10. Alun Jones wrote:

    > In article <>, Imhotep
    > <> wrote:
    >>UPDATE: Hundreds of malicious Web sites are attempting to exploit the
    >>most critical of two flaws announced last week in Microsoft's browser,
    >>convincing two companies to release workarounds late Monday to head off
    >>the threat.
    >>
    >>http://www.securityfocus.com/news/11384?ref=rss

    >
    > All very well, but unless you know and trust the groups releasing those
    > workarounds, you find that you are in this situation:
    >
    > Problem: You don't want unknown and untrusted people to run code on your
    > machine.


    The typical scenario is that a third party patch or work around has
    transparency due to the fact that the source or process is widely
    published. In this respect a third party fix is more trustworthy than one
    from Microsoft itself. It is "out in the open" while the MS fix usually
    isn't, and thus the third party fix is easier to examine.

    You're confusing trust with "popularity". A common mistake.

    > Solution: You download and run code on your machine from unknown and
    > untrusted people.
    >
    > Also, you have to wonder - do these companies have the ability to test
    > their patches in your language, in your locale, and with your LOB
    > (line-of-business) applications? Not likely, so you find you have to do
    > some significant testing.


    If you believe Microsoft is testing their patches, or ANYTHING for that
    matter, with your "LOB" software you're delusional. They test it with
    their operating system and draw logical conclusions about what effect it
    will have based on the nature of the problem, just like a typical third
    party does.

    > For most people the risk outweighs the potential benefits, and taking care
    > while surfing is the best thing to do.


    Most people don't understand the concept of risk, where it comes from, or
    what mitigates it. The above suggestion that simply because a "fix" comes
    from Microsoft it's more secure and trustworthy than a fix from someone
    else is simplistic at best and absolutely ridiculous in most cases.
    Especially given Microsoft's history of releasing patches and fixes that
    introduce new problems. <LAUGH>

    Fact is, you're a lot better off, security wise, to go with the patch
    offered by a third party.
    Borked Pseudo Mailed, Mar 30, 2006
    #10
  11. Imhotep wrote:

    > Very good points. I guess you have to balance between waiting for an MS fix
    > (being vulnerable) or trusting the company.


    We're waiting for very important fixes since '03. No balance whatsoever.
    Sebastian Gottschalk, Mar 30, 2006
    #11
  12. Imhotep

    Half_Light Guest

    On Wed, 29 Mar 2006 16:39:02 +0200, Sebastian Gottschalk
    <> wrote:


    >Bullshit. A webbrowser doesn't need to be vulnerable in first place, and
    >a good webbrowser will let you not need to care for what website you
    >visit. As if you could, as we've already seen exploits spread via ads on
    >usually harmless websites.


    Here's a safe browser.

    http://www.OffByOne.com
    Half_Light, Apr 3, 2006
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. AeoN
    Replies:
    0
    Views:
    390
  2. Au79

    Another zero-day threat hits Windows

    Au79, Sep 29, 2006, in forum: Computer Support
    Replies:
    19
    Views:
    730
  3. Have A Nice Cup of Tea

    Unofficial zero-day patches gain corporate support

    Have A Nice Cup of Tea, Apr 5, 2006, in forum: NZ Computing
    Replies:
    0
    Views:
    282
    Have A Nice Cup of Tea
    Apr 5, 2006
  4. Giuen
    Replies:
    0
    Views:
    555
    Giuen
    Sep 12, 2008
  5. Rob Slade, doting grandpa of Ryan and Trevor

    REVIEW: "Zero Day Threat", Byron Acohido/Jon Swartz

    Rob Slade, doting grandpa of Ryan and Trevor, Jun 8, 2009, in forum: Computer Security
    Replies:
    0
    Views:
    472
    Rob Slade, doting grandpa of Ryan and Trevor
    Jun 8, 2009
Loading...

Share This Page