Re: Internet Explorer bug

From: Greg Kujawa (anonymous_at_discussions.microsoft.com)
Date: 12/24/03


Date: Wed, 24 Dec 2003 06:38:08 -0800

Regarding URL spoofing we certainly can agree to disagree.
As for the four other active scripting flaws, these
operate outside of the "disregard/distrust the address
window in IE" premise. These flaws allow websites to place
controls that break security rules as defined on the
client workstation. Follow the link to
http://www.secunia.com/advisories/10289/ for specific
details.

Not every flaw that Microsoft has is explained by the
premise that endusers are naive/ignorant. I know you're
not saying this, but a lot of other newsgroups I browse
adopt this attitude. Buffer overflows, memory leaks, etc.
are all products of poor programming. And security
vulnerabilities in Microsoft's case for the most part are
due to a flawed security model upon which their newer
software is based.

I realize that the latest flaws were initially announced
to the world and therefore Microsoft didn't get a good
headstart. But nevertheless the richest, most powerful,
most dominant computer software company on Earth should be
able to muster up the manpower to issue a fix within two
weeks' time I would hope. It's not like there's a college
kid maintaining CVS for an offhand app that has three
volunteers keeping it alive.

>-----Original Message-----
>
>"Greg Kujawa" <anonymous@discussions.microsoft.com> wrote
in message
>news:00ce01c3c98e$1e545c50$a501280a@phx.gbl...
>
>> here's my two cents worth. The concern that I have is
>> larger corporate environments.
>
>I also work in and have considered corporate
environments. Most corporate
>environments I know have real vulnerabilities to worry
about first.
>
>> the phishing scams. Maybe so. But nevertheless it's
still
>> a flaw that should be addressed sooner and not later.
>
>I believe Microsoft is addressing it. Unfortunately,
because the person
>that discovered this vulnerability wanted to be a self-
serving opportunist,
>Microsoft found out about this the same day you did.
That's not their
>fault. Given a choice between a fast fix that breaks all
my corporation's
>computers and a late fix that doesn't break anything, I
much prefer the
>latter. Keep in mind also that some components of IE
such as MSHTML.DLL
>which does HTML rendering don't just affect IE but the
entire OS, so you
>have to be careful. [and good luck disabling it.]
>
>> URL in the address window is unacceptable. And the fact
>> that they aren't issuing any December patches in the
face
>> of this and four other flaws (see http://www.secunia.com
>> for details) is likewise unacceptable.
>
>It's also not entirely their fault, due to the way this
vulnerability was
>announced to the world. Sure, one could argue that the
open source world
>responds faster with patches, but it's not exactly an
apples to apples
>comparison.
>
>> The only answer is
>> to disable Active Scripting altogether. Nice. I guess
it's
>> an answer.
>
>Didn't you read my post? The only answer is to use
common sense and not
>rely on the Address field of ANY browser to verify where
your code is coming
>from. And that fix is available today.
>
>Or, if you prefer, you can wait for a patch and go back
to unsafe browsing
>habits that leave one vulnerable to fishing.
Unfortunately most people
>prefer to patch and forget, so most people won't retain
the lesson to be had
>here.
>
>Again, I agree that it would be nice to have this fixed.
But there are so
>many other ways to make a deceiving URL. I can think of
at least seven ways
>to hide the true URL in IE and some other browsers as
well, and there won't
>be a patch for any of them.
>
>This bug will affect a very small subset of people:
those that are
>dumb enough to fall for phishing, and yet paranoid and
cautious enough to
>try to check the URL window. IMHO almost all of the
people who fall into
>the former category won't also fall into the latter one.
>
>
>
>
>.
>