Re: Is MSIE dead as a browser - if Microsoft does not patch it then it is as far as I am concerned!
From: anonymous (anonymous_at_discussions.microsoft.com)
Date: 06/26/04
- Next message: Jacky Yau: "Network Cable Unplugged"
- Previous message: WinGuy: "Re: Gigantic,catastrophic security flaw in Windows - no defense..."
- In reply to: WinGuy: "Re: Is MSIE dead as a browser - if Microsoft does not patch it then it is as far as I am concerned!"
- Next in thread: WinGuy: "Re: Is MSIE dead as a browser - if Microsoft does not patch it then it is as far as I am concerned!"
- Reply: WinGuy: "Re: Is MSIE dead as a browser - if Microsoft does not patch it then it is as far as I am concerned!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 25 Jun 2004 21:33:21 -0700
WinGuy, you sound like a real M$ apologist. There are
currently 3 identified IE vulnerabilites. One of which was
discovered almost 3 weeks ago. M$ issuing patches "PDQ" is
laughable!
I read an article from a well respected security site just
last night. Since 2001, MSIE has been patched against ~153
vulnerabilities. That should tell anyone all they need to
know.
>-----Original Message-----
>"BeamGuy" <nobody@SPAM.com> wrote in message
>news:O0N0rewWEHA.3540@TK2MSFTNGP10.phx.gbl...
>> I have taken this notice from the
http://isc.sans.org/diary.php
>> ----
>> A large number of web sites, some of them quite
popular, were compromised
>earlier this
>> week to distribute malicious code. The attacker
uploaded a small file with
>javascript to
>> infected web sites, and altered the web server
configuration to append the
>script to all
>> files served by the web server. The Storm Center and
others are still
>investigating the
>> method used to compromise the servers. Several server
administrators
>reported that
>> they were fully patched.
>>
>> If a user visited an infected site, the javascript
delivered by the site
>would instruct the
>> user's browser to download an executable from a Russian
web site and
>install it. Different
>> executables were observed. These trojan horse programs
include keystroke
>loggers,
>> proxy servers and other back doors providing full
access to the infected
>system.
>>
>> The javascript uses a so far unpatched vulnerability in
MSIE to download
>and execute
>> the code. No warning will be displayed. The user does
not have to click on
>any links.
>> Just visiting an infected site will trigger the exploit.
>> ----
>> Other posters here who claim to know something say that
this vulnerability
>will not be patched in MSIE. If so then as far as I can
>> tell MSIE is dead as a browser. I cannot afford to use
a browser that lets
>any website that I visit to download malware and execute
>> it - and does not even bother to patch it when the flaw
is discovered!
>>
>> And no - I cannot use a browser with the security
setting set to maximum
>either. Thank you very much Microsoft, think of something
>> else.
>
>The reason the exploit occurred is one or both of these
things: (1) a
>webserver admin purposefully allows their own webserver
to be compromised or
>(2) the server admin didn't boot the webserver so that
the installed patch
>(that would have prevented the webserver from being
compromised) was applied
>in time. The needed server patch has been available for a
long time before
>this particular exploit came along.
>
>The fact that a fully updated IE is vulnerable to this
exploit would have
>made almost no difference if the servers had all been
patched as they should
>have been. Admins have only themselves to blame in either
case #1 or #2,
>above. Possible incompetent webserver admin, or possible
admin with criminal
>intent. Can someone think of some other potential
scenario that would
>absolve admins of the ultimate responsibility for the
exploit having being
>distributed?
>
>Nevertheless, Microsoft will almost surely patch the
versions of IE against
>this exploit PDQ for versions of Windows that have not
had expiration of
>critical updates support. That's my own opinion, and I
will wait probably
>only a few days at most before seeing history prove that
the opinion is
>correct. After all, does it seem probable that MS is
going to put itself up
>for a lot of public discontent by refusing to patch IE
against the exploit?
>A little common sense, not to mention how the stock
market would react,
>should help drive home a practical analysis concerning
the matter. IE is not
>dead, the very idea seems silly to me.
>
>Meanwhile, do what MS says until a patch is available and
keep your
>antivirus updated (and use it). Most AV vendors have
already come out with
>new updates to address this problem while waiting for a
MS patch to IE. Or
>go use another browser and miss out on all the other good
stuff that IE is
>used for and that the other browsers do not support
(resulting in some
>aggravation of a different sort when visiting certain
websites). It's your
>choice.
>
>
>.
>
- Next message: Jacky Yau: "Network Cable Unplugged"
- Previous message: WinGuy: "Re: Gigantic,catastrophic security flaw in Windows - no defense..."
- In reply to: WinGuy: "Re: Is MSIE dead as a browser - if Microsoft does not patch it then it is as far as I am concerned!"
- Next in thread: WinGuy: "Re: Is MSIE dead as a browser - if Microsoft does not patch it then it is as far as I am concerned!"
- Reply: WinGuy: "Re: Is MSIE dead as a browser - if Microsoft does not patch it then it is as far as I am concerned!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
