[Full-Disclosure] Microsoft and Security

Date: 06/25/04

  • Next message: Black, Braden: "RE: [Full-Disclosure] server administration"
    To: <full-disclosure@lists.netsys.com>
    Date: Fri, 25 Jun 2004 18:53:44 -0000

    Where is Microsoft now "protecting their customers" as they love
    to bray? Should not someone in authority of this public company
    step forward and explain themselves at this time?

    All of sudden panic is being created across the WWW with "IIS
    Exploit Infecting Web Site Visitors With Malware", "Mysterious
    Attack Hits Web Servers", "Researchers warn of infectious Web
    sites" all stemming from all news accounts from an
    unpatched "problem" with Internet Explorer now two weeks old and
    counting, which in fact in reality stems from 10 months ago,
    that being the adodb.stream safe for scripting control with
    write capabilities.

    What exactly is being done about this? Nothing. What does
    multiple billions of dollars buy you today. Nothing. However for
    $20 million you can almost fly to the moon.

    Someone ought to step forward and explaini what exactly is
    happening at this public company. The great "protector of their
    customers". One might even suggest that their entire "security"
    mandate be re-examined. What exactly do they consider a
    vulnerability? Something that suits them or something that's
    cost effective to fix. So what, a few people lose their
    identities, have a few dollars extracted from their bank
    accounts, have their home pages reset, we'll fix it when it
    suits us as we have to be on budget this quarter. The Big Boss
    says $40 billion isn't enough this year.

    A vulnerability:


    "A security vulnerability is a flaw in a product that makes it
    infeasible – even when using the product properly—to prevent an
    attacker from usurping privileges on the user's system,
    regulating its operation, compromising data on it, or assuming
    ungranted trust."

    what this gibberish? For the past 10 months the adobd.stream
    object is capable of writing files to the "all important
    customer's" computer. It has real world consequences. It rapes
    their computer. Does it fit into the gibberish custom
    definition. Plain and simple: "A security vulnerability is a
    flaw in a product that makes it infeasible". What kind of
    language is this. Reads like the financial department conjured
    it up.

    Disabling scripting won't solve it. Putting sites in one of the
    myriad of "zones' won't solve it. Internet Explorer can
    trivially be fooled into operating in the less than secure so-
    called "intranet zone" and it can be guided there remotely.

    What's happening here. Where is the Microsoft representative
    explaining all of this to the shareholders and "customers" they
    so dearly wish to protect. This is unacceptable. Someone must
    be held accountable.

    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Black, Braden: "RE: [Full-Disclosure] server administration"