Re: To Anyone who has Internet Explorer Installed or any other browser (Everybody)
From: dkg_ctc (dontknowguilt_at_hotmail.com)
Date: 06/06/03
- Next message: invalid: "Re: Where to purchase my book"
- Previous message: Me: "Re: Where to purchase my book"
- Next in thread: Lance Delacroix: "Re: To Anyone who has Internet Explorer Installed or any other browser (Everybody)"
- Reply: Lance Delacroix: "Re: To Anyone who has Internet Explorer Installed or any other browser (Everybody)"
- Maybe reply: Dave Korn: "Re: To Anyone who has Internet Explorer Installed or any other browser (Everybody)"
- Maybe reply: donut: "Re: To Anyone who has Internet Explorer Installed or any other browser (Everybody)"
- Maybe reply: Dave Korn: "Re: To Anyone who has Internet Explorer Installed or any other browser (Everybody)"
- Maybe reply: Jay T. Blocksom: "Re: To Anyone who has Internet Explorer Installed or any other browser (Everybody)"
- Reply: sponge: "Re: To Anyone who has Internet Explorer Installed or any other browser (Everybody)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 6 Jun 2003 14:27:21 GMT
yosponge@yahoo.com (sponge) wrote in
news:8d76ec03.0306052238.422f331f@posting.google.com:
> On 5 Jun 2003 16:47:38 GMT, "dkg_ctc"
> <dontknowguilt@hotmail.com> wrote:
>
>>yosponge@yahoo.com (sponge) wrote in
>>news:8d76ec03.0306050223.18fa0aa6@posting.google.com:
>>
>>> Two things, and I'll make them quick. First, a virus has been
>>> discovered by Kaspersky's about two weeks ago which uses an
>>> exploit in Internet Explorer that has been known -- and
>>> unpatched by Microsoft -- for two years.
>>
>>The only mention of "two years" that I can find on the page is
>>the following:
>>
>>"According to Kaspersky Labs statistics, over 85% of virus
>>incidences in 2002 were caused by malicious programs such as
>>'Klez' and 'Lentin' that exploit the IFRAME Internet Explorer
>>vulnerability, which was discovered over two years ago, and thus
>>users have had plenty of time to install the patch and protect
>>themselves against any similar virus appearing in the future."
>>
>>This suggests that the advisory is referring to two separate
>>bugs-- one that has been known, and patched, for two years, and
>>one that is relatively new.
>
> Then why after two years is there still not sufficient bounds
> checking on IE's handling of IFRAMES, which allowed these
> exploits to occur?
This isn't an exploit regarding IFRAMEs. It's an "exploit" that
exists by opening a ZIP archive, and then opening a file in the
archive.
>>> There is no way to "lock down" the browser; the only possible
>>> way to secure yourself from this is to discontinue using
>>> Internet Explorer entirely.
>>
>>Or install IE6, which as reported by your own links is
>>unaffected.
>
> A large percentage of people still use pre-6 versions.
Which says nothing regarding the fact that "the only possible way
to secure yourself from thsi is to discontinue using Internet
Explorer entirely" was completely inaccurate.
*snip*
>>> On a related note, yet another flaw has been discovered in
>>> Internet Explorer that allows remote code execution. According
>>> to Microsoft's security update, this affects even those who DO
>>> NOT use Internet Explorer as their browser (read: everybody.)
>>
>>Yes, because there are numerous programs that use IE to render.
>>If you read the security bulletin, the vulnerabilities have to
>>do with "not properly determining an object type returned from a
>>web server" and "not implementing an appropriate block on a file
>>download dialog box". So basically, both these flaws only come
>>into affect when you visit a remote site, or receive a malicious
>>HTML e-mail that is rendered by IE.
>
> Sure, but that's the problem. Were a webmaster inclined to
> exploit these flaws, he could. Also, we all know that Outlook
> express (and other email clients like Eudora) use IE to render
> pages, recipients of malicious messages are susceptible too.
Yes...and? That's why Microsoft said it effects people who don't
user Internet Explorer as their browser, and that's why there's a
patch out for it. Are you actually pointing to the fact that
there's a security patch out for insecurity? That's just the way
software works.
>>> At least there's a patch for this. However, IE still cannot be
>>> safely used.
>>
>>Not that I disagree, but you didn't do a very good job of making
>> your case in this post.
>
> The point was to point out flaws with some commentary.
Seems to me that your point was, "You can't use IE safely", and I
think that's probably what any sane reader would have seen as the
point, considering you actually went so far as to repeat that
point. You referred to an "exploit" which requires you to download
a ZIP file, open the ZIP file, and run an HTML file in the context
of the local zone, and a patch which fixes security holes, as
evidence that Internet Explorer can't be used safely.
> The present flaws -- never mind the hundred or so on file at
> SecurityFocus -- state that case well.
I agree, but you didn't use those to state your case. You used
two--IMO--NON-issues to state your case, and that's what I'm taking
issue with. Now if you'd used the Pivx site which lists unpatched
security holes in IE, then you would have made a better case. As
it is, you listed a "vulnerability" which requires user
interaction, and a security patch.
- Next message: invalid: "Re: Where to purchase my book"
- Previous message: Me: "Re: Where to purchase my book"
- Next in thread: Lance Delacroix: "Re: To Anyone who has Internet Explorer Installed or any other browser (Everybody)"
- Reply: Lance Delacroix: "Re: To Anyone who has Internet Explorer Installed or any other browser (Everybody)"
- Maybe reply: Dave Korn: "Re: To Anyone who has Internet Explorer Installed or any other browser (Everybody)"
- Maybe reply: donut: "Re: To Anyone who has Internet Explorer Installed or any other browser (Everybody)"
- Maybe reply: Dave Korn: "Re: To Anyone who has Internet Explorer Installed or any other browser (Everybody)"
- Maybe reply: Jay T. Blocksom: "Re: To Anyone who has Internet Explorer Installed or any other browser (Everybody)"
- Reply: sponge: "Re: To Anyone who has Internet Explorer Installed or any other browser (Everybody)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
