Re: Microsoft Internet Explorer Malformed HTML Parsing Denial of Service Vulnerability
- From: Imhotep <imhotep@xxxxxxxxxx>
- Date: Wed, 31 May 2006 01:11:00 -0400
Sebastian Gottschalk wrote:
Imhotep wrote:
Eh, no. Even on Unix they concluded "yes, we could carefully
deinitialize and restart this specific services with dependencies, but
it would be too complicated to implement, so we better restart the whole
system."
I stop/start/restart services every day as we are a UNIX shop. I almost
NEVER have to reboot (except when upgrading the OS)...
I meant kernel services from a system view, not these services services.
When chancing some not dynamically loaded kernel components, you'll have
to reboot.
The only time you have to reboot UNIX is upgraded/altering the kernel,
generally speaking. Even kernel modules can be loaded/unloaded while the
system is up and running perfectly fine. Frankly, this is acceptable since
you very rarely upgrade your kernel. Everything else does not require
rebooting...
For Windows, it's just that there are more scenarios requiring a reboot.
Just about everything require a reboot in windows...
Only it you don't know what to do. Some people reboot for unlocking open
files, some other people just enter the admin password, aquire debug
privilege and invalidate the file handle using Unlocker or Process
Explorer (of course, there's no default tool who has such an ability).
I am talking about the foolish requirement when you install software. Why is
it the majority of the time if I install software (applications) I have to
reboot. This is the foolishness to which I speak...
I remember my last reboot was... ehm... eh... sorry, simply can't
remember such a long time. Must have been somewhere around the initial
setup about a year ago (when the previous harddisk died).
I guess you did not patch that Windows box of yours!
I have some linux boxes that have been running for years. Literally 3+
years...(even patched them without rebooting, no kernel patches that is)
That is very typical....
This is very typical for every programmer who doesn't have a
sufficiently deep clue. The real problem is that Microsoft shouldn't let
such underqualified people handle important security stuff, and I know
that they do have qualified programmers.
Every company has qualified people. Microsoft's problem is that they care
more about marketing than quality...that is their problem. Case and point
is vista. They had an opportunity to finally force vendors to make software
that does not require users to be in the local admin group (bad security).
Now, I know form experience that you can get most MS software to run by
altering permission/groups/or runas but this is not out-of-the-box
behavior. Instead of doing this (telling software vendors to make software
that is installed as a local admin but run by regular users) they said we
will us the UAC and just bombard users with permission questions. This is
just plain foolish. How many users will just answer "yes" to everything
thus making the "security" behind the idea moot?
How about demanding software quality and timely patches?Dunno, but from what Guninski and Lie Di Yu concluded about some serious
design bugs IE was never designed/intended to be used in a untrusted
network (like the internet).
I believe it.
I don't. There are some other smaller design errors which could be fixed
without revamping the entire code, and a lot of errors are really just
random programming errors.
Some probably are small design errors and some probably are deep structural
and thus are difficult to fix.
So far only the cross-domain policy and the entire concept of ActiveX
are definitely broken. The rest is just lousy.
Cross domain was always a bad joke. Active-x was just Microsoft's way to
have a java-like application. Most companies don;t even allow active-x
through their firewalls for good reason.
Well, there's a difference between intent and suitability. :-)
How many time do you guys have to relive the same problems beforeUntil it's explicitly written into a (online) manual about IE? I guess
something clicks?
not even then.
hahahaha...
Don't wonder, in Microsoft online documentation you'll find explicit
warning about the unencrypted nature of using telnet, rcp, rsh and rexec
with recommendations for SSH, SCP and SFTP. You'll find warnings that LM
hashes are bad, bad, bad. You'll even find some press paper admitting
that Win98's multi-monitor support was beta quality.
It is not rocket science...
Imhotep
.
- Follow-Ups:
- Re: Microsoft Internet Explorer Malformed HTML Parsing Denial of Service Vulnerability
- From: Sebastian Gottschalk
- Re: Microsoft Internet Explorer Malformed HTML Parsing Denial of Service Vulnerability
- References:
- Re: Microsoft Internet Explorer Malformed HTML Parsing Denial of Service Vulnerability
- From: Sebastian Gottschalk
- Re: Microsoft Internet Explorer Malformed HTML Parsing Denial of Service Vulnerability
- From: Imhotep
- Re: Microsoft Internet Explorer Malformed HTML Parsing Denial of Service Vulnerability
- From: Sebastian Gottschalk
- Re: Microsoft Internet Explorer Malformed HTML Parsing Denial of Service Vulnerability
- Prev by Date: Re: A free antispyware app (SS&D) fares awfully vs competitor for me
- Next by Date: Re: Microsoft Internet Explorer Malformed HTML Parsing Denial of Service Vulnerability
- Previous by thread: Re: Microsoft Internet Explorer Malformed HTML Parsing Denial of Service Vulnerability
- Next by thread: Re: Microsoft Internet Explorer Malformed HTML Parsing Denial of Service Vulnerability
- Index(es):
Relevant Pages
|
