Where is the IE zero day exploit in the news...

Discussion in 'Computer Security' started by Imhotep, Nov 27, 2005.

  1. Imhotep

    Imhotep Guest

    Has anyone notice that there is not a single meantion of the latest IE vuln
    in the news (popular news sites like cnn, yahoo, bbc, etc)???

    Imhotep, Nov 27, 2005
    1. Advertisements

  2. Imhotep

    Imhotep Guest

    ....still waiting for popular news sites to carry the article. Could it be
    that MS is putting on the pressure not to carry the article, in popular
    news sites, UNTIL there is a fix? Could it be that they are trying to
    prevent more IE to Firefox converts? Say it ain't so....say it ain't so....

    Imhotep, Nov 27, 2005
    1. Advertisements

  3. ....
    Shenan Stanley, Nov 27, 2005
  4. This vulnerability affects Firefox as well. So it's not really an "IE

    karl levinson, mvp, Nov 27, 2005
  5. Imhotep

    Imhotep Guest

    Nice try but it does not allow remote code execution from some web site

    With IE you can visit a web site and lose control of your PC...

    Enough said.

    Oh and MS has known about this for how long? Since May? Granted it was
    listed as a DOS but still, it has been how many months?

    Imhotep, Nov 27, 2005
  6. Imhotep

    Unruh Guest

    From that page
    "It is reported that this vulnerability could be exploited to cause a
    denial of service on Firefox and Opera Web browsers, but remote code
    execution is not possible."

    I would say that remote code execution is far worse than crashing the
    Unruh, Nov 28, 2005
  7. Imhotep

    Imhotep Guest

    ....thanks. That is exactly what I have been trying to say...

    Imhotep, Nov 28, 2005
  8. No, what you've been trying to say is that Microsoft was severely in error
    and should not have rated this as "low" when it was "only a denial of
    service." But that's the opposite of what the two of you are saying now
    when considering the exact same vulnerability affecting Firefox, that it's
    OK to minimize the Firefox vuln as being "just a denial of service." There
    are two different viewpoints being expressed here that are inconsistent with
    each other. If the Firefox vuln is "only a denial of service," then the IE
    vuln has only been a known remote code execution vuln for a week or so, not
    six months.

    Microsoft is being faulted here for not notifying customers [although it
    has]. I couldn't find anything on the Firefox web site about this. Not
    only haven't they patched this, they haven't notified customers like
    Microsoft has. Presumably they're still testing and reproducing the
    vulnerability. Which goes back to what I was saying about not assuming that
    Microsoft can necessarily always repro a vuln overnight when a finder
    refuses to give them all the details.
    Karl Levinson, mvp, Nov 28, 2005
  9. Imhotep

    Unruh Guest

    I never said anything like that. I said that remote code execution is much
    worse than denial of service and I still stand by that.
    And I said "only denial of service" where?

    6 months sounds a bit extreme however. You must live at the north pole or
    south pole, for that to be overnight.
    Unruh, Nov 28, 2005
  10. That's not in dispute.
    Check the message headers. I wasn't responding to you.
    Or, perhaps they rated it as low priority because it was "only a denial of
    karl levinson, mvp, Nov 29, 2005
  11. Imhotep

    Imhotep Guest

    The bug finder did not notify Firefox. He/She notified
    Microsoft....Microsoft then sat on it's hands for 6 or so months not fixing
    the bug and now allowing people to get cracked.

    Imhotep, Nov 30, 2005
  12. Imhotep

    Imhotep Guest

    Again, low are not it HAS BEEN 6 months. Second, Microsoft obviously dropped
    the ball in evaluating the security hole....for 6 months...which is the
    point of this thread.

    Imhotep, Nov 30, 2005
  13. Where did you read that? I have found nothing to show Microsoft was
    notified of this.
    You don't know and are only guessing what Microsoft did or didn't do with
    this. As you stated, remote code execution vulns are worse than browser
    crash vulns. So, by that statement, Microsoft was correct to prioritize
    working on fixing other remote code execution vulns first.
    Karl Levinson, mvp, Dec 1, 2005
  14. No, like you, Microsoft prioritized it lower than other vulns, because like
    you, they consider remote code execution vulns to be worse than browser
    crash vulns.
    Karl Levinson, mvp, Dec 1, 2005
  15. Imhotep

    Unruh Guest

    You mean Microsoft had so many "remote code execution" vulnerabilities that
    they could not get to serious but lesser things in 6 months? They claim to
    be able to rewrite a whole operating system in only a few times that
    timeframe. If your scenario is correct then MS is far worse than its worst
    critics claim it is.
    Unruh, Dec 1, 2005
  16. Imhotep

    Alun Jones Guest

    Or, to put it a different way, Microsoft could have added another patch that
    likely requires you to reboot your operating system for a low-level
    denial-of-service issue that wasn't being exploited, and because it was a
    low-level DoS, wasn't likely to be exploited.

    Yeah, that would be just wonderful, wouldn't it? "Microsoft made me reboot my
    machine - again - for /nothing/?"

    You can't just release patches and assume that everyone will be happy.

    You have to test the patches (and remember, not everyone installs every patch,
    so you have to test a number of different variations of installations), and
    then you have to decide "is the damage to our users' systems going to be
    greater if we release the patch than if we wait for the next service pack or
    other patch to this portion?"

    For IE, the chances would be high that some other patch would need to go out,
    so why force an update (and a reboot) for a minor issue, knowing that it would
    likely not be attacked before the next time you got to issue a patch?

    You are talking in such black and white terms, it's as if you miss the
    whole complexity of the issue.


    [Please don't email posters, if a Usenet response is appropriate.]
    Alun Jones, Dec 1, 2005
    Karl Levinson, mvp, Dec 2, 2005
  18. Imhotep

    Imhotep Guest

    Microsoft was notified, what 8 months ago? After reviewing it, they
    mistakenly "evaluated" it as low...
    Please, spare me. What I said was given the choice of a browser blowing up
    or allowing ANY web site to run ANY binary on my PC, I would wisely choose
    my browser blowing up. Now, face it, once and for all, your mighty
    Microsoft, yet again, screwed thier customers by not putting any "research"
    into evaluating this serious security hole. You can fight this fact, and
    try to twist words around but, all you do is prove to me that I am right in
    saying "Yet again MS users are better off looking at another
    platform"...squirm all you want but you are on the "hook"...

    Imhotep, Dec 2, 2005
  19. Imhotep

    Imhotep Guest

    ....I also believe that such a popular application, as as IE, should not go
    unpatched for what 8 months now? No matter what what level of security hole
    it is/was evaluated to. Unlike you, I do not make such foolish excuses...

    Imhotep, Dec 2, 2005
  20. Imhotep

    Imhotep Guest

    Ah you also forgot totally redoing the XBox...I guess that was were their
    attention was....

    But, hey, I heard that the XBox was "blue screening" too!!!!!! Somethings
    never change, like Microsoft "quality".

    Imhotep, Dec 2, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.