Where is the IE zero day exploit in the news...

Discussion in 'Computer Security' started by Imhotep, Nov 27, 2005.

  1. Imhotep

    Imhotep Guest

    Has anyone notice that there is not a single meantion of the latest IE vuln
    in the news (popular news sites like cnn, yahoo, bbc, etc)???

    Imhotep
    Imhotep, Nov 27, 2005
    #1
    1. Advertising

  2. Imhotep

    Imhotep Guest

    Imhotep wrote:

    > Has anyone notice that there is not a single meantion of the latest IE
    > vuln in the news (popular news sites like cnn, yahoo, bbc, etc)???
    >
    > Imhotep


    ....still waiting for popular news sites to carry the article. Could it be
    that MS is putting on the pressure not to carry the article, in popular
    news sites, UNTIL there is a fix? Could it be that they are trying to
    prevent more IE to Firefox converts? Say it ain't so....say it ain't so....


    Imhotep
    Imhotep, Nov 27, 2005
    #2
    1. Advertising

  3. Imhotep wrote:
    > Has anyone notice that there is not a single meantion of the
    > latest IE vuln in the news (popular news sites like cnn, yahoo,
    > bbc, etc)???


    Imhotep wrote:
    > ...still waiting for popular news sites to carry the article. Could
    > it be that MS is putting on the pressure not to carry the article,
    > in popular news sites, UNTIL there is a fix? Could it be that they
    > are trying to prevent more IE to Firefox converts? Say it ain't
    > so....say it ain't so....


    ....

    --
    Shenan Stanley
    MS-MVP
    --
    How To Ask Questions The Smart Way
    http://www.catb.org/~esr/faqs/smart-questions.html
    Shenan Stanley, Nov 27, 2005
    #3
  4. "Imhotep" <> wrote in message
    news:...

    >> Has anyone notice that there is not a single meantion of the latest IE
    >> vuln in the news (popular news sites like cnn, yahoo, bbc, etc)???


    > ...still waiting for popular news sites to carry the article. Could it be
    > that MS is putting on the pressure not to carry the article, in popular
    > news sites, UNTIL there is a fix? Could it be that they are trying to
    > prevent more IE to Firefox converts? Say it ain't so....say it ain't
    > so....


    This vulnerability affects Firefox as well. So it's not really an "IE
    vuln."

    http://xforce.iss.net/xforce/xfdb/20783
    karl levinson, mvp, Nov 27, 2005
    #4
  5. Imhotep

    Imhotep Guest

    karl levinson, mvp wrote:

    >
    > "Imhotep" <> wrote in message
    > news:...
    >
    >>> Has anyone notice that there is not a single meantion of the latest IE
    >>> vuln in the news (popular news sites like cnn, yahoo, bbc, etc)???

    >
    >> ...still waiting for popular news sites to carry the article. Could it be
    >> that MS is putting on the pressure not to carry the article, in popular
    >> news sites, UNTIL there is a fix? Could it be that they are trying to
    >> prevent more IE to Firefox converts? Say it ain't so....say it ain't
    >> so....

    >
    > This vulnerability affects Firefox as well. So it's not really an "IE
    > vuln."
    >
    > http://xforce.iss.net/xforce/xfdb/20783



    Nice try but it does not allow remote code execution from some web site
    somewhere....

    With IE you can visit a web site and lose control of your PC...

    Enough said.

    Oh and MS has known about this for how long? Since May? Granted it was
    listed as a DOS but still, it has been how many months?

    Imhotep
    Imhotep, Nov 27, 2005
    #5
  6. Imhotep

    Unruh Guest

    "karl levinson, mvp" <> writes:


    >"Imhotep" <> wrote in message
    >news:...


    >>> Has anyone notice that there is not a single meantion of the latest IE
    >>> vuln in the news (popular news sites like cnn, yahoo, bbc, etc)???


    >> ...still waiting for popular news sites to carry the article. Could it be
    >> that MS is putting on the pressure not to carry the article, in popular
    >> news sites, UNTIL there is a fix? Could it be that they are trying to
    >> prevent more IE to Firefox converts? Say it ain't so....say it ain't
    >> so....


    >This vulnerability affects Firefox as well. So it's not really an "IE
    >vuln."


    >http://xforce.iss.net/xforce/xfdb/20783


    From that page
    "It is reported that this vulnerability could be exploited to cause a
    denial of service on Firefox and Opera Web browsers, but remote code
    execution is not possible."

    I would say that remote code execution is far worse than crashing the
    browser.
    Unruh, Nov 28, 2005
    #6
  7. Imhotep

    Imhotep Guest

    Unruh wrote:

    > "karl levinson, mvp" <> writes:
    >
    >
    >>"Imhotep" <> wrote in message
    >>news:...

    >
    >>>> Has anyone notice that there is not a single meantion of the latest IE
    >>>> vuln in the news (popular news sites like cnn, yahoo, bbc, etc)???

    >
    >>> ...still waiting for popular news sites to carry the article. Could it
    >>> be that MS is putting on the pressure not to carry the article, in
    >>> popular news sites, UNTIL there is a fix? Could it be that they are
    >>> trying to prevent more IE to Firefox converts? Say it ain't so....say it
    >>> ain't so....

    >
    >>This vulnerability affects Firefox as well. So it's not really an "IE
    >>vuln."

    >
    >>http://xforce.iss.net/xforce/xfdb/20783

    >
    > From that page
    > "It is reported that this vulnerability could be exploited to cause a
    > denial of service on Firefox and Opera Web browsers, but remote code
    > execution is not possible."
    >
    > I would say that remote code execution is far worse than crashing the
    > browser.


    ....thanks. That is exactly what I have been trying to say...

    Im
    Imhotep, Nov 28, 2005
    #7
  8. "Imhotep" <> wrote in message
    news:...

    > >>This vulnerability affects Firefox as well. So it's not really an "IE
    > >>vuln."

    > >
    > >>http://xforce.iss.net/xforce/xfdb/20783

    > >
    > > From that page
    > > "It is reported that this vulnerability could be exploited to cause a
    > > denial of service on Firefox and Opera Web browsers, but remote code
    > > execution is not possible."
    > >
    > > I would say that remote code execution is far worse than crashing the
    > > browser.

    >
    > ...thanks. That is exactly what I have been trying to say...


    No, what you've been trying to say is that Microsoft was severely in error
    and should not have rated this as "low" when it was "only a denial of
    service." But that's the opposite of what the two of you are saying now
    when considering the exact same vulnerability affecting Firefox, that it's
    OK to minimize the Firefox vuln as being "just a denial of service." There
    are two different viewpoints being expressed here that are inconsistent with
    each other. If the Firefox vuln is "only a denial of service," then the IE
    vuln has only been a known remote code execution vuln for a week or so, not
    six months.

    Microsoft is being faulted here for not notifying customers [although it
    has]. I couldn't find anything on the Firefox web site about this. Not
    only haven't they patched this, they haven't notified customers like
    Microsoft has. Presumably they're still testing and reproducing the
    vulnerability. Which goes back to what I was saying about not assuming that
    Microsoft can necessarily always repro a vuln overnight when a finder
    refuses to give them all the details.
    Karl Levinson, mvp, Nov 28, 2005
    #8
  9. Imhotep

    Unruh Guest

    "Karl Levinson, mvp" <> writes:


    >"Imhotep" <> wrote in message
    >news:...


    >> >>This vulnerability affects Firefox as well. So it's not really an "IE
    >> >>vuln."
    >> >
    >> >>http://xforce.iss.net/xforce/xfdb/20783
    >> >
    >> > From that page
    >> > "It is reported that this vulnerability could be exploited to cause a
    >> > denial of service on Firefox and Opera Web browsers, but remote code
    >> > execution is not possible."
    >> >
    >> > I would say that remote code execution is far worse than crashing the
    >> > browser.

    >>
    >> ...thanks. That is exactly what I have been trying to say...


    >No, what you've been trying to say is that Microsoft was severely in error
    >and should not have rated this as "low" when it was "only a denial of
    >service." But that's the opposite of what the two of you are saying now
    >when considering the exact same vulnerability affecting Firefox, that it's
    >OK to minimize the Firefox vuln as being "just a denial of service." There


    I never said anything like that. I said that remote code execution is much
    worse than denial of service and I still stand by that.

    >are two different viewpoints being expressed here that are inconsistent with
    >each other. If the Firefox vuln is "only a denial of service," then the IE
    >vuln has only been a known remote code execution vuln for a week or so, not
    >six months.


    And I said "only denial of service" where?


    >Microsoft is being faulted here for not notifying customers [although it
    >has]. I couldn't find anything on the Firefox web site about this. Not
    >only haven't they patched this, they haven't notified customers like
    >Microsoft has. Presumably they're still testing and reproducing the
    >vulnerability. Which goes back to what I was saying about not assuming that
    >Microsoft can necessarily always repro a vuln overnight when a finder
    >refuses to give them all the details.


    6 months sounds a bit extreme however. You must live at the north pole or
    south pole, for that to be overnight.
    Unruh, Nov 28, 2005
    #9
  10. "Unruh" <> wrote in message
    news:dmflb8$2fa$...

    > I never said anything like that. I said that remote code execution is much
    > worse than denial of service and I still stand by that.


    That's not in dispute.

    >>are two different viewpoints being expressed here that are inconsistent
    >>with
    >>each other. If the Firefox vuln is "only a denial of service," then the
    >>IE
    >>vuln has only been a known remote code execution vuln for a week or so,
    >>not
    >>six months.

    >
    > And I said "only denial of service" where?


    Check the message headers. I wasn't responding to you.

    >>Microsoft is being faulted here for not notifying customers [although it
    >>has]. I couldn't find anything on the Firefox web site about this. Not
    >>only haven't they patched this, they haven't notified customers like
    >>Microsoft has. Presumably they're still testing and reproducing the
    >>vulnerability. Which goes back to what I was saying about not assuming
    >>that
    >>Microsoft can necessarily always repro a vuln overnight when a finder
    >>refuses to give them all the details.

    >
    > 6 months sounds a bit extreme however. You must live at the north pole or
    > south pole, for that to be overnight.


    Or, perhaps they rated it as low priority because it was "only a denial of
    service."
    karl levinson, mvp, Nov 29, 2005
    #10
  11. Imhotep

    Imhotep Guest

    Karl Levinson, mvp wrote:

    >
    > "Imhotep" <> wrote in message
    > news:...
    >
    >> >>This vulnerability affects Firefox as well. So it's not really an "IE
    >> >>vuln."
    >> >
    >> >>http://xforce.iss.net/xforce/xfdb/20783
    >> >
    >> > From that page
    >> > "It is reported that this vulnerability could be exploited to cause a
    >> > denial of service on Firefox and Opera Web browsers, but remote code
    >> > execution is not possible."
    >> >
    >> > I would say that remote code execution is far worse than crashing the
    >> > browser.

    >>
    >> ...thanks. That is exactly what I have been trying to say...

    >
    > No, what you've been trying to say is that Microsoft was severely in error
    > and should not have rated this as "low" when it was "only a denial of
    > service." But that's the opposite of what the two of you are saying now
    > when considering the exact same vulnerability affecting Firefox, that it's
    > OK to minimize the Firefox vuln as being "just a denial of service."
    > There are two different viewpoints being expressed here that are
    > inconsistent with
    > each other. If the Firefox vuln is "only a denial of service," then the
    > IE vuln has only been a known remote code execution vuln for a week or so,
    > not six months.
    >
    > Microsoft is being faulted here for not notifying customers [although it
    > has]. I couldn't find anything on the Firefox web site about this. Not
    > only haven't they patched this, they haven't notified customers like
    > Microsoft has. Presumably they're still testing and reproducing the
    > vulnerability. Which goes back to what I was saying about not assuming
    > that Microsoft can necessarily always repro a vuln overnight when a finder
    > refuses to give them all the details.



    The bug finder did not notify Firefox. He/She notified
    Microsoft....Microsoft then sat on it's hands for 6 or so months not fixing
    the bug and now allowing people to get cracked.

    Imhotep
    Imhotep, Nov 30, 2005
    #11
  12. Imhotep

    Imhotep Guest

    karl levinson, mvp wrote:

    >
    > "Unruh" <> wrote in message
    > news:dmflb8$2fa$...
    >
    >> I never said anything like that. I said that remote code execution is
    >> much worse than denial of service and I still stand by that.

    >
    > That's not in dispute.
    >
    >>>are two different viewpoints being expressed here that are inconsistent
    >>>with
    >>>each other. If the Firefox vuln is "only a denial of service," then the
    >>>IE
    >>>vuln has only been a known remote code execution vuln for a week or so,
    >>>not
    >>>six months.

    >>
    >> And I said "only denial of service" where?

    >
    > Check the message headers. I wasn't responding to you.
    >
    >>>Microsoft is being faulted here for not notifying customers [although it
    >>>has]. I couldn't find anything on the Firefox web site about this. Not
    >>>only haven't they patched this, they haven't notified customers like
    >>>Microsoft has. Presumably they're still testing and reproducing the
    >>>vulnerability. Which goes back to what I was saying about not assuming
    >>>that
    >>>Microsoft can necessarily always repro a vuln overnight when a finder
    >>>refuses to give them all the details.

    >>
    >> 6 months sounds a bit extreme however. You must live at the north pole or
    >> south pole, for that to be overnight.

    >
    > Or, perhaps they rated it as low priority because it was "only a denial of
    > service."



    Again, low are not it HAS BEEN 6 months. Second, Microsoft obviously dropped
    the ball in evaluating the security hole....for 6 months...which is the
    point of this thread.

    Imhotep
    Imhotep, Nov 30, 2005
    #12
  13. "Imhotep" <> wrote in message
    news:...

    > The bug finder did not notify Firefox. He/She notified
    > Microsoft....


    Where did you read that? I have found nothing to show Microsoft was
    notified of this.

    > Microsoft then sat on it's hands for 6 or so months not fixing
    > the bug and now allowing people to get cracked.


    You don't know and are only guessing what Microsoft did or didn't do with
    this. As you stated, remote code execution vulns are worse than browser
    crash vulns. So, by that statement, Microsoft was correct to prioritize
    working on fixing other remote code execution vulns first.
    Karl Levinson, mvp, Dec 1, 2005
    #13
  14. "Imhotep" <> wrote in message
    news:...

    > > Or, perhaps they rated it as low priority because it was "only a denial

    of
    > > service."

    >
    > Again, low are not it HAS BEEN 6 months. Second, Microsoft obviously

    dropped
    > the ball in evaluating the security hole....for 6 months...which is the
    > point of this thread.


    No, like you, Microsoft prioritized it lower than other vulns, because like
    you, they consider remote code execution vulns to be worse than browser
    crash vulns.
    Karl Levinson, mvp, Dec 1, 2005
    #14
  15. Imhotep

    Unruh Guest

    "Karl Levinson, mvp" <> writes:


    >"Imhotep" <> wrote in message
    >news:...


    >> > Or, perhaps they rated it as low priority because it was "only a denial

    >of
    >> > service."

    >>
    >> Again, low are not it HAS BEEN 6 months. Second, Microsoft obviously

    >dropped
    >> the ball in evaluating the security hole....for 6 months...which is the
    >> point of this thread.


    >No, like you, Microsoft prioritized it lower than other vulns, because like
    >you, they consider remote code execution vulns to be worse than browser
    >crash vulns.


    You mean Microsoft had so many "remote code execution" vulnerabilities that
    they could not get to serious but lesser things in 6 months? They claim to
    be able to rewrite a whole operating system in only a few times that
    timeframe. If your scenario is correct then MS is far worse than its worst
    critics claim it is.
    Unruh, Dec 1, 2005
    #15
  16. Imhotep

    Alun Jones Guest

    In article <dmngj9$m2$>, Unruh <> wrote:
    >You mean Microsoft had so many "remote code execution" vulnerabilities that
    >they could not get to serious but lesser things in 6 months? They claim to
    >be able to rewrite a whole operating system in only a few times that
    >timeframe. If your scenario is correct then MS is far worse than its worst
    >critics claim it is.


    Or, to put it a different way, Microsoft could have added another patch that
    likely requires you to reboot your operating system for a low-level
    denial-of-service issue that wasn't being exploited, and because it was a
    low-level DoS, wasn't likely to be exploited.

    Yeah, that would be just wonderful, wouldn't it? "Microsoft made me reboot my
    machine - again - for /nothing/?"

    You can't just release patches and assume that everyone will be happy.

    You have to test the patches (and remember, not everyone installs every patch,
    so you have to test a number of different variations of installations), and
    then you have to decide "is the damage to our users' systems going to be
    greater if we release the patch than if we wait for the next service pack or
    other patch to this portion?"

    For IE, the chances would be high that some other patch would need to go out,
    so why force an update (and a reboot) for a minor issue, knowing that it would
    likely not be attacked before the next time you got to issue a patch?

    You are talking in such black and white terms, it's as if you miss the
    whole complexity of the issue.

    Alun.
    ~~~~

    [Please don't email posters, if a Usenet response is appropriate.]
    --
    Texas Imperial Software | Find us at http://www.wftpd.com or email
    23921 57th Ave SE | .
    Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
    Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
    Alun Jones, Dec 1, 2005
    #16
  17. "Alun Jones" <> wrote in message
    news:...
    > In article <dmngj9$m2$>, Unruh

    <> wrote:

    > For IE, the chances would be high that some other patch would need to go

    out,
    > so why force an update (and a reboot) for a minor issue, knowing that it

    would
    > likely not be attacked before the next time you got to issue a patch?


    Not to mention that there are and always will be plenty of ways to DoS any
    browser. Just put it into a never ending loop, for example. No big deal,
    really, just shut down your browser and re-start it and the problem goes
    away, unless the user is stupid enough to go back to the site that DoSsed
    them in the first place. That's why you never ever see someone trying to
    execute a browser DoS.
    Karl Levinson, mvp, Dec 2, 2005
    #17
  18. Imhotep

    Imhotep Guest

    Karl Levinson, mvp wrote:

    >
    > "Imhotep" <> wrote in message
    > news:...
    >
    >> The bug finder did not notify Firefox. He/She notified
    >> Microsoft....

    >
    > Where did you read that? I have found nothing to show Microsoft was
    > notified of this.


    Microsoft was notified, what 8 months ago? After reviewing it, they
    mistakenly "evaluated" it as low...

    >> Microsoft then sat on it's hands for 6 or so months not fixing
    >> the bug and now allowing people to get cracked.

    >
    > You don't know and are only guessing what Microsoft did or didn't do with
    > this. As you stated, remote code execution vulns are worse than browser
    > crash vulns. So, by that statement, Microsoft was correct to prioritize
    > working on fixing other remote code execution vulns first.


    Please, spare me. What I said was given the choice of a browser blowing up
    or allowing ANY web site to run ANY binary on my PC, I would wisely choose
    my browser blowing up. Now, face it, once and for all, your mighty
    Microsoft, yet again, screwed thier customers by not putting any "research"
    into evaluating this serious security hole. You can fight this fact, and
    try to twist words around but, all you do is prove to me that I am right in
    saying "Yet again MS users are better off looking at another
    platform"...squirm all you want but you are on the "hook"...

    Imhotep
    Imhotep, Dec 2, 2005
    #18
  19. Imhotep

    Imhotep Guest

    Karl Levinson, mvp wrote:

    >
    > "Imhotep" <> wrote in message
    > news:...
    >
    >> > Or, perhaps they rated it as low priority because it was "only a denial

    > of
    >> > service."

    >>
    >> Again, low are not it HAS BEEN 6 months. Second, Microsoft obviously

    > dropped
    >> the ball in evaluating the security hole....for 6 months...which is the
    >> point of this thread.

    >
    > No, like you, Microsoft prioritized it lower than other vulns, because
    > like you, they consider remote code execution vulns to be worse than
    > browser crash vulns.



    ....I also believe that such a popular application, as as IE, should not go
    unpatched for what 8 months now? No matter what what level of security hole
    it is/was evaluated to. Unlike you, I do not make such foolish excuses...

    Imhotep
    Imhotep, Dec 2, 2005
    #19
  20. Imhotep

    Imhotep Guest

    Unruh wrote:

    > "Karl Levinson, mvp" <> writes:
    >
    >
    >>"Imhotep" <> wrote in message
    >>news:...

    >
    >>> > Or, perhaps they rated it as low priority because it was "only a
    >>> > denial

    >>of
    >>> > service."
    >>>
    >>> Again, low are not it HAS BEEN 6 months. Second, Microsoft obviously

    >>dropped
    >>> the ball in evaluating the security hole....for 6 months...which is the
    >>> point of this thread.

    >
    >>No, like you, Microsoft prioritized it lower than other vulns, because
    >>like you, they consider remote code execution vulns to be worse than
    >>browser crash vulns.

    >
    > You mean Microsoft had so many "remote code execution" vulnerabilities
    > that they could not get to serious but lesser things in 6 months? They
    > claim to be able to rewrite a whole operating system in only a few times
    > that timeframe. If your scenario is correct then MS is far worse than its
    > worst critics claim it is.



    Ah you also forgot totally redoing the XBox...I guess that was were their
    attention was....

    But, hey, I heard that the XBox was "blue screening" too!!!!!! Somethings
    never change, like Microsoft "quality".

    Imhotep
    Imhotep, Dec 2, 2005
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Imhotep

    Zero-day IE exploit...

    Imhotep, Nov 23, 2005, in forum: Computer Security
    Replies:
    21
    Views:
    1,046
    Winged
    Nov 28, 2005
  2. junkmail

    an interesting take on the 0-day exploit

    junkmail, Dec 30, 2005, in forum: Computer Security
    Replies:
    1
    Views:
    405
    Donnie
    Dec 31, 2005
  3. 7
    Replies:
    7
    Views:
    380
  4. VanguardLH

    Re: Windump 7 zero day exploit out! WoW! Thats FAST!

    VanguardLH, Nov 13, 2009, in forum: Computer Support
    Replies:
    4
    Views:
    482
    John Fuhrer
    Nov 14, 2009
  5. chuckcar
    Replies:
    3
    Views:
    663
    Clogwog
    Nov 14, 2009
Loading...

Share This Page