Re: Internet Explorer bug

From: Greg Kujawa (
Date: 12/24/03

Date: Wed, 24 Dec 2003 06:38:08 -0800

Regarding URL spoofing we certainly can agree to disagree.
As for the four other active scripting flaws, these
operate outside of the "disregard/distrust the address
window in IE" premise. These flaws allow websites to place
controls that break security rules as defined on the
client workstation. Follow the link to for specific

Not every flaw that Microsoft has is explained by the
premise that endusers are naive/ignorant. I know you're
not saying this, but a lot of other newsgroups I browse
adopt this attitude. Buffer overflows, memory leaks, etc.
are all products of poor programming. And security
vulnerabilities in Microsoft's case for the most part are
due to a flawed security model upon which their newer
software is based.

I realize that the latest flaws were initially announced
to the world and therefore Microsoft didn't get a good
headstart. But nevertheless the richest, most powerful,
most dominant computer software company on Earth should be
able to muster up the manpower to issue a fix within two
weeks' time I would hope. It's not like there's a college
kid maintaining CVS for an offhand app that has three
volunteers keeping it alive.

>-----Original Message-----
>"Greg Kujawa" <> wrote
in message
>> here's my two cents worth. The concern that I have is
>> larger corporate environments.
>I also work in and have considered corporate
environments. Most corporate
>environments I know have real vulnerabilities to worry
about first.
>> the phishing scams. Maybe so. But nevertheless it's
>> a flaw that should be addressed sooner and not later.
>I believe Microsoft is addressing it. Unfortunately,
because the person
>that discovered this vulnerability wanted to be a self-
serving opportunist,
>Microsoft found out about this the same day you did.
That's not their
>fault. Given a choice between a fast fix that breaks all
my corporation's
>computers and a late fix that doesn't break anything, I
much prefer the
>latter. Keep in mind also that some components of IE
such as MSHTML.DLL
>which does HTML rendering don't just affect IE but the
entire OS, so you
>have to be careful. [and good luck disabling it.]
>> URL in the address window is unacceptable. And the fact
>> that they aren't issuing any December patches in the
>> of this and four other flaws (see
>> for details) is likewise unacceptable.
>It's also not entirely their fault, due to the way this
vulnerability was
>announced to the world. Sure, one could argue that the
open source world
>responds faster with patches, but it's not exactly an
apples to apples
>> The only answer is
>> to disable Active Scripting altogether. Nice. I guess
>> an answer.
>Didn't you read my post? The only answer is to use
common sense and not
>rely on the Address field of ANY browser to verify where
your code is coming
>from. And that fix is available today.
>Or, if you prefer, you can wait for a patch and go back
to unsafe browsing
>habits that leave one vulnerable to fishing.
Unfortunately most people
>prefer to patch and forget, so most people won't retain
the lesson to be had
>Again, I agree that it would be nice to have this fixed.
But there are so
>many other ways to make a deceiving URL. I can think of
at least seven ways
>to hide the true URL in IE and some other browsers as
well, and there won't
>be a patch for any of them.
>This bug will affect a very small subset of people:
those that are
>dumb enough to fall for phishing, and yet paranoid and
cautious enough to
>try to check the URL window. IMHO almost all of the
people who fall into
>the former category won't also fall into the latter one.