Re: Is additional firewall necessary?

Sebastian Gottschalk <seppi@xxxxxxxxx> wrote:
Frank Slootweg wrote:

OE inherits the vulnerabilities from IE. Cites for IE can be found in
"Windows XP/Server 2003 Security Guide", Group Policies, Object Caching
Protection (of course, with a good understand about the involved issue).
You may also take a look at the policy "Automatic COM+ downloads".

That does not support what you claim Microsoft is saying. I.e. you
claim that Microsoft says that OE is not safe for e-mail/News, but those
documents don't say *that*.

If you understand the technical blah blah, they say exactly that: We
implemented a trivially incomplete solution to a known design-based
vulnerability. Thus, they documented the existence of an unpatched
vulnerability.

Yes, but *Microsoft* is *not* *saying* that OE is not safe for e-mail/
News. *You* say that.

But enough about this. We now know for sure that you gave your
interpretation/opinion, not any statement from Microsoft.

Anyone could exploit it as he wants, and you can't do anything against it.

Yes, one *can* "do anything against it". Your continued silent
snipping does not change that fact.

That's indeed unsafe.

FWIW, I fully agree that OE's *default* configuration is quite unsafe
and that is indeed a big problem.

[deleted]

Indeed, that's where OE can be safely used.

OE *can* be safely used anywhere.

Wrong. It you can receive untrusted mail content, then no configuration of
careful user behaviour whatsoever could protect it against being trivially
exploitet.

Wrong. As I said, all it takes is changing one setting from its
default.

I'm not pretending otherwise. This is exactly fully coherent with what I
wrote: If you should such a user a trivial diagram of how many
vulnerabilities OE had and still has (as well as colorful indication how
critical the vulnerabilities are), and as comparisons those of serious
eMail programs, I'd say they definitely get the point.

Your "If" makes your comment a theoretical argument.

No one talked about application, just about who's to blame for the problem.

No-one is doing such a thing for the vast majority of the users.

Well, any reasonably acting user would aquire such knowledge by themselves.
Thus, if they don't, it's PEBKAC, the user is to blame.

Your "any reasonably acting user" is a minute minority. It's so minute
that *it* is hardly relevant.

So you can jump up and down all you like and yell PEBKAC, but, as I
said and you snipped, it's not going to change anything in the *real*
world.
.