Re: To Anyone who has Internet Explorer Installed or any other browser (Everybody)

From: Lance Delacroix (lance_delacroix_at_fastmail.fm)
Date: 06/06/03 

Date: Fri, 06 Jun 2003 19:38:03 +0300

On 6 Jun 2003 14:27:21 GMT, "dkg_ctc" <dontknowguilt@hotmail.com>
prounounced a fatwah thus:

>yosponge@yahoo.com (sponge) wrote in
>news:8d76ec03.0306052238.422f331f@posting.google.com:
>
>> On 5 Jun 2003 16:47:38 GMT, "dkg_ctc"
>> <dontknowguilt@hotmail.com> wrote:
>>
>>>yosponge@yahoo.com (sponge) wrote in
>>>news:8d76ec03.0306050223.18fa0aa6@posting.google.com:
>>>
>>>> Two things, and I'll make them quick. First, a virus has been
>>>> discovered by Kaspersky's about two weeks ago which uses an
>>>> exploit in Internet Explorer that has been known -- and
>>>> unpatched by Microsoft -- for two years.
>>>
>>>The only mention of "two years" that I can find on the page is
>>>the following:
>>>
>>>"According to Kaspersky Labs statistics, over 85% of virus
>>>incidences in 2002 were caused by malicious programs such as
>>>'Klez' and 'Lentin' that exploit the IFRAME Internet Explorer
>>>vulnerability, which was discovered over two years ago, and thus
>>>users have had plenty of time to install the patch and protect
>>>themselves against any similar virus appearing in the future."
>>>
>>>This suggests that the advisory is referring to two separate
>>>bugs-- one that has been known, and patched, for two years, and
>>>one that is relatively new.
>>
>> Then why after two years is there still not sufficient bounds
>> checking on IE's handling of IFRAMES, which allowed these
>> exploits to occur?
>
>This isn't an exploit regarding IFRAMEs. It's an "exploit" that
>exists by opening a ZIP archive, and then opening a file in the
>archive.
>
>>>> There is no way to "lock down" the browser; the only possible
>>>> way to secure yourself from this is to discontinue using
>>>> Internet Explorer entirely.
>>>
>>>Or install IE6, which as reported by your own links is
>>>unaffected.
>>
>> A large percentage of people still use pre-6 versions.
>
>Which says nothing regarding the fact that "the only possible way
>to secure yourself from thsi is to discontinue using Internet
>Explorer entirely" was completely inaccurate.
>
>*snip*
>>>> On a related note, yet another flaw has been discovered in
>>>> Internet Explorer that allows remote code execution. According
>>>> to Microsoft's security update, this affects even those who DO
>>>> NOT use Internet Explorer as their browser (read: everybody.)
>>>
>>>Yes, because there are numerous programs that use IE to render.
>>>If you read the security bulletin, the vulnerabilities have to
>>>do with "not properly determining an object type returned from a
>>>web server" and "not implementing an appropriate block on a file
>>>download dialog box". So basically, both these flaws only come
>>>into affect when you visit a remote site, or receive a malicious
>>>HTML e-mail that is rendered by IE.
>>
>> Sure, but that's the problem. Were a webmaster inclined to
>> exploit these flaws, he could. Also, we all know that Outlook
>> express (and other email clients like Eudora) use IE to render
>> pages, recipients of malicious messages are susceptible too.
>
>Yes...and? That's why Microsoft said it effects people who don't
>user Internet Explorer as their browser, and that's why there's a
>patch out for it. Are you actually pointing to the fact that
>there's a security patch out for insecurity? That's just the way
>software works.
>
>>>> At least there's a patch for this. However, IE still cannot be
>>>> safely used.
>>>
>>>Not that I disagree, but you didn't do a very good job of making
>>> your case in this post.
>>
>> The point was to point out flaws with some commentary.
>
>Seems to me that your point was, "You can't use IE safely", and I
>think that's probably what any sane reader would have seen as the
>point, considering you actually went so far as to repeat that
>point. You referred to an "exploit" which requires you to download
>a ZIP file, open the ZIP file, and run an HTML file in the context
>of the local zone, and a patch which fixes security holes, as
>evidence that Internet Explorer can't be used safely.
>
>> The present flaws -- never mind the hundred or so on file at
>> SecurityFocus -- state that case well.
>
>I agree, but you didn't use those to state your case. You used
>two--IMO--NON-issues to state your case, and that's what I'm taking
>issue with.

Would you please stick to the topic --security-- and save your
rhetorical criticism for some other venue? Take it to the fucking
Supreme Rhetorical Court if you like. Thank you.

> Now if you'd used the Pivx site which lists unpatched
>security holes in IE, then you would have made a better case. As
>it is, you listed a "vulnerability" which requires user
>interaction, and a security patch.