Re: To Anyone who has Internet Explorer Installed or any other browser (Everybody)

From: sponge (yosponge_at_yahoo.com)
Date: 06/10/03


Date: 9 Jun 2003 15:35:51 -0700

On 6 Jun 2003 14:27:21 GMT, "dkg_ctc" <dontknowguilt@hotmail.com>
wrote:

>yosponge@yahoo.com (sponge) wrote in
>news:8d76ec03.0306052238.422f331f@posting.google.com:
>
>> On 5 Jun 2003 16:47:38 GMT, "dkg_ctc"
>> <dontknowguilt@hotmail.com> wrote:
>>
>>>yosponge@yahoo.com (sponge) wrote in
>>>news:8d76ec03.0306050223.18fa0aa6@posting.google.com:
>>>
>>>> Two things, and I'll make them quick. First, a virus has been
>>>> discovered by Kaspersky's about two weeks ago which uses an
>>>> exploit in Internet Explorer that has been known -- and
>>>> unpatched by Microsoft -- for two years.
>>>
>>>The only mention of "two years" that I can find on the page is
>>>the following:
>>>
>>>"According to Kaspersky Labs statistics, over 85% of virus
>>>incidences in 2002 were caused by malicious programs such as
>>>'Klez' and 'Lentin' that exploit the IFRAME Internet Explorer
>>>vulnerability, which was discovered over two years ago, and thus
>>>users have had plenty of time to install the patch and protect
>>>themselves against any similar virus appearing in the future."
>>>
>>>This suggests that the advisory is referring to two separate
>>>bugs-- one that has been known, and patched, for two years, and
>>>one that is relatively new.
>>
>> Then why after two years is there still not sufficient bounds
>> checking on IE's handling of IFRAMES, which allowed these
>> exploits to occur?
>
>This isn't an exploit regarding IFRAMEs. It's an "exploit" that
>exists by opening a ZIP archive, and then opening a file in the
>archive.

I was responding to a citation you posted. If you didn't want people
responding to it, don't post it.
More to the point, Microsoft has had ample warning, but did not patch
the affected versions. Which, incidentally, are only one version old
-- legacy software, perhaps, but we're not talking about ancient
history here. It is well within expectations for MS to patch such a
recent version of IE.

>>>> There is no way to "lock down" the browser; the only possible
>>>> way to secure yourself from this is to discontinue using
>>>> Internet Explorer entirely.
>>>
>>>Or install IE6, which as reported by your own links is
>>>unaffected.
>>
>> A large percentage of people still use pre-6 versions.
>
>Which says nothing regarding the fact that "the only possible way
>to secure yourself from thsi is to discontinue using Internet
>Explorer entirely" was completely inaccurate.

No, actually it's entirely accurate. The point is that IE is too
unsafe to use in any form. Not only was that the point of the this
thread, but a point brought up in posts of mine (and others) too
numerous to mention.

>*snip*
>>>> On a related note, yet another flaw has been discovered in
>>>> Internet Explorer that allows remote code execution. According
>>>> to Microsoft's security update, this affects even those who DO
>>>> NOT use Internet Explorer as their browser (read: everybody.)
>>>
>>>Yes, because there are numerous programs that use IE to render.
>>>If you read the security bulletin, the vulnerabilities have to
>>>do with "not properly determining an object type returned from a
>>>web server" and "not implementing an appropriate block on a file
>>>download dialog box". So basically, both these flaws only come
>>>into affect when you visit a remote site, or receive a malicious
>>>HTML e-mail that is rendered by IE.
>>
>> Sure, but that's the problem. Were a webmaster inclined to
>> exploit these flaws, he could. Also, we all know that Outlook
>> express (and other email clients like Eudora) use IE to render
>> pages, recipients of malicious messages are susceptible too.
>
>Yes...and? That's why Microsoft said it effects people who don't
>user Internet Explorer as their browser, and that's why there's a
>patch out for it. Are you actually pointing to the fact that
>there's a security patch out for insecurity? That's just the way
>software works.

The point is that IE and it's poor coding can affect other
applications. That's one of the prime reasons I recommend against it,
and also why I have recommended both in newsgroups and on my site that
IE be locked down even if users plan on using other browsers.
I HAVE pointed out that Microsoft has a tendency to not simply patch,
but add "features" (Read: security holes, potential exploits, etc.) in
patches and upgrades. Since ungrading to IE6 is the only way of fixing
some flaws in IE, you are dealing with the introduction of a new set
of problems.
That's not "patching". In fact, one could credibly argue that
Microsoft deliberately did not patch prior versions of IE in order to
force users to upgrade to the most current version.

>>>> At least there's a patch for this. However, IE still cannot be
>>>> safely used.
>>>
>>>Not that I disagree, but you didn't do a very good job of making
>>> your case in this post.
>>
>> The point was to point out flaws with some commentary.
>
>Seems to me that your point was, "You can't use IE safely", and I
>think that's probably what any sane reader would have seen as the
>point, considering you actually went so far as to repeat that
>point. You referred to an "exploit" which requires you to download
>a ZIP file, open the ZIP file, and run an HTML file in the context
>of the local zone, and a patch which fixes security holes, as
>evidence that Internet Explorer can't be used safely.

The point WAS that you can't use IE safely, and I referred to two
exploits: one was patched, one was not after how long.

>> The present flaws -- never mind the hundred or so on file at
>> SecurityFocus -- state that case well.
>
>I agree, but you didn't use those to state your case. You used
>two--IMO--NON-issues to state your case, and that's what I'm taking
>issue with. Now if you'd used the Pivx site which lists unpatched
>security holes in IE, then you would have made a better case. As
>it is, you listed a "vulnerability" which requires user
>interaction, and a security patch.

I actually had a better link to browser-specific flaws (including some
in Opera), although I cannot find it. Nonetheless, I cited two recent
and highly valid flaws. And I followed up with recent
BugTraq-documented flaws. Sounds like you're sore that I'm not
representing Pivx, fine. Pivx is an excellent site which provides an
top-notch service. But BugTraq is considered one of the preeminent
tracking houses in the security industry, and lists a litany of IE
flaws as well as other most other known security risks and flaws in
every kind of software.

Sponge
Sponge's Anti-Spyware Source
www.geocities.com/yosponge



Relevant Pages