Where is the IE zero day exploit in the news...

Discussion in 'Security Software' started by Imhotep, Nov 27, 2005.

  1. Imhotep

    Imhotep Guest

    ....still waiting for popular news sites to carry the article. Could it be
    that MS is putting on the pressure not to carry the article, in popular
    news sites, UNTIL there is a fix? Could it be that they are trying to
    prevent more IE to Firefox converts? Say it ain't so....say it ain't so....


    Imhotep
     
    Imhotep, Nov 27, 2005
    #1
    1. Advertisements

  2. ....
     
    Shenan Stanley, Nov 27, 2005
    #2
    1. Advertisements

  3. Imhotep

    Imhotep Guest

    ....
     
    Imhotep, Nov 27, 2005
    #3
  4. I just don't think having CNN, Yahoo, BBC report on another vulnerability in
    IE would push more people to FireFox.

    Most people wouldn't understand what it all meant or would zone out/skim
    over it because it is of no interest to them - that is their tech-supports
    problem - not theirs - even if they have their own computer(s) at home they
    manage.

    Those who switch to FireFox do so because of encouragement from people they
    know/trust/asked advice from. At most - they might ask someone they
    know/trust and usually ask advice from about the article/broadcast they just
    read/heard/saw - and then - the person they ask may not either be informed
    of the issue yet or could be neutral/in a weird mood/just not care/have a
    different attitude about it all and give them advice like "Use the Off By
    One Web Browser".. ( http://www.offbyone.com/ ) and walk away.

    Do I tell people to try FireFox?
    Yep.

    Do I do it because of vulerabilities found in IE?
    Nope.

    Now - should this whole thing be some big news story?
    I don't know - I don't make those decisions. I know that if I were a head
    honcho with one of the larger news reporting agencies - I probably would
    have the attitude protrayed in so many movies about the news media - what
    story will cause the most sensational outcry? What story will make the most
    people stand up and argue and thus watch/read my news as opposed to the
    1000's of other choices they have? Yeah - Internet Explorer vulnerability
    just doesn't make the top of the list because too many of the
    listeners/watchers/readers won't care.

    Sad?
    Maybe.

    True?
    Probably.

    Have you paid attention to the news lately?
    All of it?

    There's probably a reason.
     
    Shenan Stanley, Nov 27, 2005
    #4
  5. This vulnerability affects Firefox as well. So it's not really an "IE
    vuln."

    http://xforce.iss.net/xforce/xfdb/20783
     
    karl levinson, mvp, Nov 27, 2005
    #5
  6. Imhotep

    Imhotep Guest


    Nice try but it does not allow remote code execution from some web site
    somewhere....

    With IE you can visit a web site and lose control of your PC...

    Enough said.

    Oh and MS has known about this for how long? Since May? Granted it was
    listed as a DOS but still, it has been how many months?

    Imhotep
     
    Imhotep, Nov 27, 2005
    #6
  7. Imhotep

    Unruh Guest

    From that page
    "It is reported that this vulnerability could be exploited to cause a
    denial of service on Firefox and Opera Web browsers, but remote code
    execution is not possible."

    I would say that remote code execution is far worse than crashing the
    browser.
     
    Unruh, Nov 28, 2005
    #7
  8. Imhotep

    Imhotep Guest

    ....thanks. That is exactly what I have been trying to say...

    Im
     
    Imhotep, Nov 28, 2005
    #8
  9. No, what you've been trying to say is that Microsoft was severely in error
    and should not have rated this as "low" when it was "only a denial of
    service." But that's the opposite of what the two of you are saying now
    when considering the exact same vulnerability affecting Firefox, that it's
    OK to minimize the Firefox vuln as being "just a denial of service." There
    are two different viewpoints being expressed here that are inconsistent with
    each other. If the Firefox vuln is "only a denial of service," then the IE
    vuln has only been a known remote code execution vuln for a week or so, not
    six months.

    Microsoft is being faulted here for not notifying customers [although it
    has]. I couldn't find anything on the Firefox web site about this. Not
    only haven't they patched this, they haven't notified customers like
    Microsoft has. Presumably they're still testing and reproducing the
    vulnerability. Which goes back to what I was saying about not assuming that
    Microsoft can necessarily always repro a vuln overnight when a finder
    refuses to give them all the details.
     
    Karl Levinson, mvp, Nov 28, 2005
    #9
  10. Imhotep

    Unruh Guest

    I never said anything like that. I said that remote code execution is much
    worse than denial of service and I still stand by that.
    And I said "only denial of service" where?

    6 months sounds a bit extreme however. You must live at the north pole or
    south pole, for that to be overnight.
     
    Unruh, Nov 28, 2005
    #10
  11. That's not in dispute.
    Check the message headers. I wasn't responding to you.
    Or, perhaps they rated it as low priority because it was "only a denial of
    service."
     
    karl levinson, mvp, Nov 29, 2005
    #11
  12. Imhotep

    Imhotep Guest


    The bug finder did not notify Firefox. He/She notified
    Microsoft....Microsoft then sat on it's hands for 6 or so months not fixing
    the bug and now allowing people to get cracked.

    Imhotep
     
    Imhotep, Nov 30, 2005
    #12
  13. Imhotep

    Imhotep Guest


    Again, low are not it HAS BEEN 6 months. Second, Microsoft obviously dropped
    the ball in evaluating the security hole....for 6 months...which is the
    point of this thread.

    Imhotep
     
    Imhotep, Nov 30, 2005
    #13
  14. Where did you read that? I have found nothing to show Microsoft was
    notified of this.
    You don't know and are only guessing what Microsoft did or didn't do with
    this. As you stated, remote code execution vulns are worse than browser
    crash vulns. So, by that statement, Microsoft was correct to prioritize
    working on fixing other remote code execution vulns first.
     
    Karl Levinson, mvp, Dec 1, 2005
    #14
  15. No, like you, Microsoft prioritized it lower than other vulns, because like
    you, they consider remote code execution vulns to be worse than browser
    crash vulns.
     
    Karl Levinson, mvp, Dec 1, 2005
    #15
  16. Imhotep

    Unruh Guest

    You mean Microsoft had so many "remote code execution" vulnerabilities that
    they could not get to serious but lesser things in 6 months? They claim to
    be able to rewrite a whole operating system in only a few times that
    timeframe. If your scenario is correct then MS is far worse than its worst
    critics claim it is.
     
    Unruh, Dec 1, 2005
    #16
  17. Imhotep

    Alun Jones Guest

    Or, to put it a different way, Microsoft could have added another patch that
    likely requires you to reboot your operating system for a low-level
    denial-of-service issue that wasn't being exploited, and because it was a
    low-level DoS, wasn't likely to be exploited.

    Yeah, that would be just wonderful, wouldn't it? "Microsoft made me reboot my
    machine - again - for /nothing/?"

    You can't just release patches and assume that everyone will be happy.

    You have to test the patches (and remember, not everyone installs every patch,
    so you have to test a number of different variations of installations), and
    then you have to decide "is the damage to our users' systems going to be
    greater if we release the patch than if we wait for the next service pack or
    other patch to this portion?"

    For IE, the chances would be high that some other patch would need to go out,
    so why force an update (and a reboot) for a minor issue, knowing that it would
    likely not be attacked before the next time you got to issue a patch?

    You are talking in such black and white terms, it's as if you miss the
    whole complexity of the issue.

    Alun.
    ~~~~

    [Please don't email posters, if a Usenet response is appropriate.]
     
    Alun Jones, Dec 1, 2005
    #17
  18.  
    Karl Levinson, mvp, Dec 2, 2005
    #18
  19. Imhotep

    Imhotep Guest

    Microsoft was notified, what 8 months ago? After reviewing it, they
    mistakenly "evaluated" it as low...
    Please, spare me. What I said was given the choice of a browser blowing up
    or allowing ANY web site to run ANY binary on my PC, I would wisely choose
    my browser blowing up. Now, face it, once and for all, your mighty
    Microsoft, yet again, screwed thier customers by not putting any "research"
    into evaluating this serious security hole. You can fight this fact, and
    try to twist words around but, all you do is prove to me that I am right in
    saying "Yet again MS users are better off looking at another
    platform"...squirm all you want but you are on the "hook"...

    Imhotep
     
    Imhotep, Dec 2, 2005
    #19
  20. Imhotep

    Imhotep Guest


    ....I also believe that such a popular application, as as IE, should not go
    unpatched for what 8 months now? No matter what what level of security hole
    it is/was evaluated to. Unlike you, I do not make such foolish excuses...

    Imhotep
     
    Imhotep, Dec 2, 2005
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.