Where is the IE zero day exploit in the news...

Has anyone notice that there is not a single meantion of the latest IE vuln
in the news (popular news sites like cnn, yahoo, bbc, etc)???

Imhotep

 

....still waiting for popular news sites to carry the article. Could it be
that MS is putting on the pressure not to carry the article, in popular
news sites, UNTIL there is a fix? Could it be that they are trying to
prevent more IE to Firefox converts? Say it ain't so....say it ain't so....


Imhotep

 

....

 

This vulnerability affects Firefox as well. So it's not really an "IE
vuln."

http://xforce.iss.net/xforce/xfdb/20783

 

Nice try but it does not allow remote code execution from some web site
somewhere....

With IE you can visit a web site and lose control of your PC...

Enough said.

Oh and MS has known about this for how long? Since May? Granted it was
listed as a DOS but still, it has been how many months?

Imhotep

 

From that page
"It is reported that this vulnerability could be exploited to cause a
denial of service on Firefox and Opera Web browsers, but remote code
execution is not possible."

I would say that remote code execution is far worse than crashing the
browser.

 

....thanks. That is exactly what I have been trying to say...

Im

 

No, what you've been trying to say is that Microsoft was severely in error
and should not have rated this as "low" when it was "only a denial of
service." But that's the opposite of what the two of you are saying now
when considering the exact same vulnerability affecting Firefox, that it's
OK to minimize the Firefox vuln as being "just a denial of service." There
are two different viewpoints being expressed here that are inconsistent with
each other. If the Firefox vuln is "only a denial of service," then the IE
vuln has only been a known remote code execution vuln for a week or so, not
six months.

Microsoft is being faulted here for not notifying customers [although it
has]. I couldn't find anything on the Firefox web site about this. Not
only haven't they patched this, they haven't notified customers like
Microsoft has. Presumably they're still testing and reproducing the
vulnerability. Which goes back to what I was saying about not assuming that
Microsoft can necessarily always repro a vuln overnight when a finder
refuses to give them all the details.

 

I never said anything like that. I said that remote code execution is much
worse than denial of service and I still stand by that.

And I said "only denial of service" where?

6 months sounds a bit extreme however. You must live at the north pole or
south pole, for that to be overnight.

 

That's not in dispute.

Check the message headers. I wasn't responding to you.

Or, perhaps they rated it as low priority because it was "only a denial of
service."

 

The bug finder did not notify Firefox. He/She notified
Microsoft....Microsoft then sat on it's hands for 6 or so months not fixing
the bug and now allowing people to get cracked.

Imhotep

 

Again, low are not it HAS BEEN 6 months. Second, Microsoft obviously dropped
the ball in evaluating the security hole....for 6 months...which is the
point of this thread.

Imhotep

 

Where did you read that? I have found nothing to show Microsoft was
notified of this.

You don't know and are only guessing what Microsoft did or didn't do with
this. As you stated, remote code execution vulns are worse than browser
crash vulns. So, by that statement, Microsoft was correct to prioritize
working on fixing other remote code execution vulns first.

 

No, like you, Microsoft prioritized it lower than other vulns, because like
you, they consider remote code execution vulns to be worse than browser
crash vulns.

 

You mean Microsoft had so many "remote code execution" vulnerabilities that
they could not get to serious but lesser things in 6 months? They claim to
be able to rewrite a whole operating system in only a few times that
timeframe. If your scenario is correct then MS is far worse than its worst
critics claim it is.

 

Or, to put it a different way, Microsoft could have added another patch that
likely requires you to reboot your operating system for a low-level
denial-of-service issue that wasn't being exploited, and because it was a
low-level DoS, wasn't likely to be exploited.

Yeah, that would be just wonderful, wouldn't it? "Microsoft made me reboot my
machine - again - for /nothing/?"

You can't just release patches and assume that everyone will be happy.

You have to test the patches (and remember, not everyone installs every patch,
so you have to test a number of different variations of installations), and
then you have to decide "is the damage to our users' systems going to be
greater if we release the patch than if we wait for the next service pack or
other patch to this portion?"

For IE, the chances would be high that some other patch would need to go out,
so why force an update (and a reboot) for a minor issue, knowing that it would
likely not be attacked before the next time you got to issue a patch?

You are talking in such black and white terms, it's as if you miss the
whole complexity of the issue.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]

 

Microsoft was notified, what 8 months ago? After reviewing it, they
mistakenly "evaluated" it as low...

Please, spare me. What I said was given the choice of a browser blowing up
or allowing ANY web site to run ANY binary on my PC, I would wisely choose
my browser blowing up. Now, face it, once and for all, your mighty
Microsoft, yet again, screwed thier customers by not putting any "research"
into evaluating this serious security hole. You can fight this fact, and
try to twist words around but, all you do is prove to me that I am right in
saying "Yet again MS users are better off looking at another
platform"...squirm all you want but you are on the "hook"...

Imhotep

 

....I also believe that such a popular application, as as IE, should not go
unpatched for what 8 months now? No matter what what level of security hole
it is/was evaluated to. Unlike you, I do not make such foolish excuses...

Imhotep

 

Ah you also forgot totally redoing the XBox...I guess that was were their
attention was....

But, hey, I heard that the XBox was "blue screening" too!!!!!! Somethings
never change, like Microsoft "quality".

Imhotep