Re: Internet Explorer bug

From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 12/24/03


Date: Wed, 24 Dec 2003 00:47:35 -0500


"Greg Kujawa" <anonymous@discussions.microsoft.com> wrote in message
news:00ce01c3c98e$1e545c50$a501280a@phx.gbl...

> here's my two cents worth. The concern that I have is
> larger corporate environments.

I also work in and have considered corporate environments. Most corporate
environments I know have real vulnerabilities to worry about first.

> the phishing scams. Maybe so. But nevertheless it's still
> a flaw that should be addressed sooner and not later.

I believe Microsoft is addressing it. Unfortunately, because the person
that discovered this vulnerability wanted to be a self-serving opportunist,
Microsoft found out about this the same day you did. That's not their
fault. Given a choice between a fast fix that breaks all my corporation's
computers and a late fix that doesn't break anything, I much prefer the
latter. Keep in mind also that some components of IE such as MSHTML.DLL
which does HTML rendering don't just affect IE but the entire OS, so you
have to be careful. [and good luck disabling it.]

> URL in the address window is unacceptable. And the fact
> that they aren't issuing any December patches in the face
> of this and four other flaws (see http://www.secunia.com
> for details) is likewise unacceptable.

It's also not entirely their fault, due to the way this vulnerability was
announced to the world. Sure, one could argue that the open source world
responds faster with patches, but it's not exactly an apples to apples
comparison.

> The only answer is
> to disable Active Scripting altogether. Nice. I guess it's
> an answer.

Didn't you read my post? The only answer is to use common sense and not
rely on the Address field of ANY browser to verify where your code is coming
from. And that fix is available today.

Or, if you prefer, you can wait for a patch and go back to unsafe browsing
habits that leave one vulnerable to fishing. Unfortunately most people
prefer to patch and forget, so most people won't retain the lesson to be had
here.

Again, I agree that it would be nice to have this fixed. But there are so
many other ways to make a deceiving URL. I can think of at least seven ways
to hide the true URL in IE and some other browsers as well, and there won't
be a patch for any of them.

This bug will affect a very small subset of people: those that are
dumb enough to fall for phishing, and yet paranoid and cautious enough to
try to check the URL window. IMHO almost all of the people who fall into
the former category won't also fall into the latter one.



Relevant Pages

  • Re: 10.9.1 fix out!!
    ... but failed to fix ... I think you call it Patch tuesday from microsoft. ... I dont mind Apple putting out an update once in a while, ... released it is often telling bad guys out there that this vulnerability exists and they will exploit is ASAP (i.e. ...
    (comp.sys.mac.advocacy)
  • Re: libpng exploit.. possible interim fix?
    ... Microsoft appears to have a policy that they avoid discussing ... vulnerabilities in most cases until a patch is available. ... they feel that acknowledging a vulnerability before there is a fix puts you ...
    (microsoft.public.win2000.security)
  • Re: Remote access vulnerability in VMS
    ... speak of an exploit (at least not until the fix is widely available). ... What is the point of announcing a vulnerability without giving *ANY* ... Might as well have just kept quiet and let HP issue a patch in its onw ...
    (comp.os.vms)
  • rpc.nisd buffer overflow
    ... Does anyone know how to fix this or if there is a patch to fix this ... Detailed Explanation for this Vulnerability Test ... to a buffer overflow which allows any user to obtain a root ...
    (SunManagers)
  • Re: Download.ject - commentary - LONG
    ... > patch recently released by Microsoft. ... > vulnerability in question, but instead is just a partial workaround. ... > Granted these are known security best practices related to Internet ... > a new default browser to users and hope that it will be safe enough. ...
    (microsoft.public.win2000.security)