Re: Internet Explorer bug
From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: Wed, 24 Dec 2003 00:47:35 -0500
"Greg Kujawa" <firstname.lastname@example.org> wrote in message
> here's my two cents worth. The concern that I have is
> larger corporate environments.
I also work in and have considered corporate environments. Most corporate
environments I know have real vulnerabilities to worry about first.
> the phishing scams. Maybe so. But nevertheless it's still
> a flaw that should be addressed sooner and not later.
I believe Microsoft is addressing it. Unfortunately, because the person
that discovered this vulnerability wanted to be a self-serving opportunist,
Microsoft found out about this the same day you did. That's not their
fault. Given a choice between a fast fix that breaks all my corporation's
computers and a late fix that doesn't break anything, I much prefer the
latter. Keep in mind also that some components of IE such as MSHTML.DLL
which does HTML rendering don't just affect IE but the entire OS, so you
have to be careful. [and good luck disabling it.]
> URL in the address window is unacceptable. And the fact
> that they aren't issuing any December patches in the face
> of this and four other flaws (see http://www.secunia.com
> for details) is likewise unacceptable.
It's also not entirely their fault, due to the way this vulnerability was
announced to the world. Sure, one could argue that the open source world
responds faster with patches, but it's not exactly an apples to apples
> The only answer is
> to disable Active Scripting altogether. Nice. I guess it's
> an answer.
Didn't you read my post? The only answer is to use common sense and not
rely on the Address field of ANY browser to verify where your code is coming
from. And that fix is available today.
Or, if you prefer, you can wait for a patch and go back to unsafe browsing
habits that leave one vulnerable to fishing. Unfortunately most people
prefer to patch and forget, so most people won't retain the lesson to be had
Again, I agree that it would be nice to have this fixed. But there are so
many other ways to make a deceiving URL. I can think of at least seven ways
to hide the true URL in IE and some other browsers as well, and there won't
be a patch for any of them.
This bug will affect a very small subset of people: those that are
dumb enough to fall for phishing, and yet paranoid and cautious enough to
try to check the URL window. IMHO almost all of the people who fall into
the former category won't also fall into the latter one.