Microsoft Zero Day security holes being exploited

Discussion in 'Computer Security' started by imhotep, Sep 23, 2006.

  1. imhotep

    imhotep Guest

    Microsoft Zero Day security holes being exploited

    "Microsoft has issued warnings about a serious flaw in Internet Explorer
    that allows attackers to hijack a PC via the popular browser

    Researcher Adam Thomas uncovered the exploit which revolves around the way
    that the Internet Explorer browser handles a particular form of graphics
    known as vector graphics.

    A properly crafted webpage can exploit this problem and install almost
    anything they want on the target machine.
    Unusable PC

    Tests by Sunbelt Software on a Windows machine patched with all the latest
    security updates showed attackers installing a huge amount of spyware and
    other malicious programs."

    http://news.bbc.co.uk/2/hi/technology/5365296.stm

    Imhotep
     
    imhotep, Sep 23, 2006
    #1
    1. Advertisements

  2. imhotep

    imhotep Guest

    Replying to the MS blog
    http://blogs.technet.com/msrc/archive/2006/09/22/458266.aspx


    "Attacks remain limited. There?s been some confusion about that, that
    somehow attacks are dramatic and widespread."

    It has been said that ATTACKS ARE GROWING. This is the concern. Maybe right
    now there are limited sites that host these attacks but, what does tomorrow
    bring?

    "Of course, that could change at any moment, and regardless of how many
    people are being attacked..."

    This is the point.

    "So right now we're looking at where we hit that quality bar and if that
    occurs prior to the monthly cycle then we will release."

    But wait. MS can release the DRM patch in three days but you are saying that
    your customers might have to wait up to a month? Why is it a third party
    had a patch out in a couple of days and you can't???


    Sadly, I do not believe "confusion" is the issue here. The real issue is,
    yet again, MS customers are taking the hit for an insecure platform. IT
    professionals are taking the hit for an insecure platform. However, if you
    are the Entertainment Industry, MS will take care of you by releasing a DRM
    patch in record time (3 days). Really, one must question where Microsoft's
    priorities are....

    Imhotep
     
    imhotep, Sep 23, 2006
    #2
    1. Advertisements

  3. imhotep

    imhotep Guest

    No actually we are seeing Roger Abell's overly verbose excuses. Yet again.
    To think that the World's richest software company can't fix a serious
    patch in a reasonable amount of time is inexcusable (not doubt Roger will
    try though). To think that a third party can release a patch in 2 days but
    the World's richest software company can't is inexcusable. To think that
    Microsoft can patch a DRM security hole in a record 2-3 days leads one to
    believe that Microsoft's priorities are somewhere other than their users
    and that is inexcusable. The fact that Roger Abell is trying to defend the
    obvious ineptness of Microsoft is well, hilarious.
    The simpleset work around being what? Use Firefox? Then we agree. Better
    yet, the *best* work around is to ditch Microsoft all together and get an
    Apple or Linux PC....

    Imhotep
     
    imhotep, Sep 24, 2006
    #3
  4. Talk about verbose !!

    I am defending nothing.

    Now just why do you think that I choose to post a new thread on
    this the day that the exploit became public ??
    Because it had potential and because the advisory and other available
    info provided means for protecting against the threat.

    A discussion of a specific threat is NOT the venue to attempt to
    discuss other, tangential at best, issues, such as time to delivery
    of other fixes, who is in whose bed, etc..

    PS. can you not control your newreader and its use of followups?
     
    Roger Abell [MVP], Sep 24, 2006
    #4
  5. imhotep

    imhotep Guest

    ....and I thanked you. As you did the right thing.
    Time to patch is most definitely relevant to all security holes especially
    when the code to do exploit the security hole is all over the 'net...

    Now as I stated before, it is shamefull that the DRM patch was 3 days but it
    seems that people will have to wait a month (maybe more?) for this security
    hole to be patched. Now come on. Even a Pro Microsoft guy like yourself,
    must be a little angry at how the Entertainment Industry gets taken cared
    of while users and corporations are getting substandard attention....

    Imhotep
     
    imhotep, Sep 24, 2006
    #5
  6. imhotep

    imhotep Guest

    I guess this shoots your theory to crap, eh? Oh yea, I bet they are lying
    too...

    "Hackers gained access to HostGator's servers late Thursday and began
    redirecting customer sites to outside web pages that exploit an unpatched
    VML security hole in Internet Explorer to infect web surfers with trojans.
    The existence of the new "0-day" exploit of cPanel leaves a large number of
    hosting companies vulnerable to similar attacks until they install the
    patch. The risk is mitigated somewhat by the fact that it is a local
    exploit, meaning any attack on a host must be launched from an existing
    account with cPanel access."

    From: HostGator: cPanel Security Hole Exploited in Mass Hack
    http://news.netcraft.com/archives/2006/09/23/hostgator_cpanel_security_hole_exploited_in_mass_hack.html

    Imhotep
     
    imhotep, Sep 24, 2006
    #6
  7. Think we'll only achieve secure computing when C is dropped in favour of a
    better language. The list of buffer-overflow exploits in every single major
    software-package gets monotonous.

    After all, nobody ever got prosecuted for 'Not realising that guy was going
    to do something silly.' But people do get prosecuted for driving cars with no
    brakes.
     
    =?Utf-8?B?SWFu?=, Sep 24, 2006
    #7
  8. If you feel so , then start a thread on that
    Do not try to take a thread on a specific threat OT

    ra
     
    Roger Abell [MVP], Sep 24, 2006
    #8
  9. He's probably using some crappy open source newsreader. ;D
     
    Karl Levinson, mvp, Sep 24, 2006
    #9
  10. imhotep

    imhotep Guest

    Karl, I am getting tired of explaining my point but I will one more time. So
    here it goes: Why did DRM patch NOT GO THROUGH THE SAME 45 DAYS TO TEST????
    Total time to patch for the DRM holes was 3 days. Again, it seems Microsoft
    priorities here was to "protect" the Entertain Industry. Please address
    this point should you decide to reply...
    Again, you are trying craftfully to NOT ANSWER the question. Sorry but, I
    will not let you off the hook:

    Again:

    You claim it takes 45 days to test a patch in Windows. Again, why did
    Microsoft break patching records to produce the DRM patch (3 days). This is
    the contention point here.

    A secondary contention point would be why 45 days (unless you are the
    Entertainment Industry!). If Microsoft needs more programmers/Managers/Code
    Debuggers hire them. Afterall they have what 60 billion in the bank? Why
    can everyone else get a patch out sooner (Apple, Red Hat, Novell, Open
    Source) as well as have an overall better track record of patch successes?

    Now either answer those questions *or* go away yourself...

    Imhotep
     
    imhotep, Sep 24, 2006
    #10
  11. imhotep

    imhotep Guest

    Ya, one the never gets viruses and one where patches work all of the
    time....image that safe computing does exist (well for some platforms)!

    ;-)

    Imhotep
     
    imhotep, Sep 24, 2006
    #11
  12. imhotep

    imhotep Guest


    I also posted it. Again, for the record you did the right thing, for this I
    thank you.


    Again, you did the right thing. An informed user can make logical
    decisions...and because Microsoft takes so long to produce patches the
    brunt of the load unfortunately lies on the users to do something while
    Micrsoft produces a patch...


    Not at all. The point being made is the time to patch. Again, why can the
    Entertainment Industry get a patch in a record setting 3 days but this
    patch, for a highly critical security hole, will probably take a month and
    a half????

    Again, my point is that clearly, Microsoft views protecting copy righted
    entertainment as being more important. THIS IS WRONG!!! Securing their
    swiss cheese platform for their users should be their highest priority!!!


    The news server I go through will trash your post if your post goes to more
    than 4 to 5 newsgroups. So, if you are posting to more than that you have
    to break it up in to multiple duplicated posts going to groups of
    newsgroups...it does suck but their is no work around. This is a policy of
    the news server administrator.


    Imhotep
     
    imhotep, Sep 24, 2006
    #12
  13. imhotep

    imhotep Guest


    Not a bad idea...

    Imhotep
     
    imhotep, Sep 24, 2006
    #13
  14. imhotep

    imhotep Guest

    The fact of the matter is this. Nobody knows for sure how many people have
    been infected by this. Nobody knows for sure how many will be infected by
    this tomorrow...and the day after that and so on. How does anyone know? How
    does Trend Micros know? What do they do scan .01% of the web sites out
    there and make a judgment? This is foolishness.

    Clearly secure holes need to be addressed and evaluated by their severity.
    Clearly this security hole is quite severe. Clearly there needs to be a
    patch in record time (like the DRM patch)...

    Imhotep
     
    imhotep, Sep 24, 2006
    #14
  15. imhotep

    imhotep Guest


    As a C programmer (one of many languages I know) that is one of the most
    foolish statements I have heard all year. Buffer-overflows are not caused
    by the programming language. They are caused by bad programmers!!!!!!!!!!!!

    The problem here is that some people want a language to cover up their lack
    of programming skills!!!!!!! Utter foolishness!!!



    If you do not possess the skills to drive a car, why are you attempting to
    drive it??? Driving a car requires a skill set, if you do not possess it,
    don't drive...in either case don't blame the car for your ineptness.


    Imhotep
     
    imhotep, Sep 24, 2006
    #15
  16. imhotep

    imhotep Guest

    Nice job...

    Imhotep
     
    imhotep, Sep 24, 2006
    #16
  17. If you are a skilled car driver why would you choose to use only an
    inferior, cheaply made, sardine tin of an auto that could not meet the
    safety standards of many governments of the day ?

    Why did safe sting classes come about?

    Would you choose to go back to GO TO based programming?

    Use of a language that enforces safe code is a good thing.

    Remember Dijstra? The set of 4 constructs proved sufficient for
    any general purpose language? Remember the arguably academic
    language Pascal (Wirth?) designed to show this? Remember how
    that ushered in a new era in programming and vastly simplified
    software lifecycles?

    Are you saying that languages designed to not allow major problems
    plaguing the sofeware industry are worth naught ?

    You surely do sound to be doing so.
     
    Roger Abell [MVP], Sep 24, 2006
    #17
  18. imhotep

    imhotep Guest

    So, your guarantee means what? Will you personally pay for damages to user's
    PCs? Will you pay for the IT departments cost at rebuilding/removing
    spyware, viruses, etc?

    If you are going to make such a guarantee back it up, like most
    guarantees...You see it is pretty easy to make such a statement when you
    have no direct possibilities caused by the repercussions of such foolish
    statements.
    Then how do you explain the record breaking time to patch Microsoft's DRM
    hole? Three days to patch? Please explain (no propaganda necessary).

    Imhotep
     
    imhotep, Sep 24, 2006
    #18
  19. Enough of this Im.
    It IS off-topic.

    Besides, contrary to your claim Karl DID answer you.

    In my initial post I also indicated this fact of life to you.

    But, here goes again, one last time.

    An impacted piece of code has a dependency tree, and test coverage
    must be directed by that.

    When a piece of code has few uses, and especially when those uses
    are not complex relative to internationalization, regression testing is
    a much smaller task.

    When a code is a general library, the dependency tree itself can be
    difficult to determine, and coverage testing larger and hence longer.

    You have a comp sci background so I would assume you can see
    those facts quite clearly (should you decide to).

    But, this part I feel you have no real clue about, especially if the code
    can impact visual renderings, then the internationalization becomes a
    very real part of testing. Once a code change might start changing the
    sizes of things it can start changing them differently in the 45 or so
    supported locales, and there are a lot of interfaces that need to have
    designed sufficiently for the possible size changes.

    Please, take the conspiracy theorist motivated part of this discussion
    to alt dot something.

    This thread should be about the present risks, workarounds, and
    degrees of exposure in the wild - that is, keep to YOUR subject.

    Regards,
    Roger
     
    Roger Abell [MVP], Sep 24, 2006
    #19
  20. From: "Roger Abell [MVP]" <>

    < snip >

    | Please, take the conspiracy theorist motivated part of this discussion
    | to alt dot something.
    |
    | This thread should be about the present risks, workarounds, and
    | degrees of exposure in the wild - that is, keep to YOUR subject.
    |
    | Regards,
    | Roger
    |

    I totally agree.
     
    David H. Lipman, Sep 24, 2006
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.