Re: New IE security hole

From: Imhotep (NoSpam_at_NoThanks.com)
Date: 06/10/05 

Date: Thu, 09 Jun 2005 17:47:59 -0700

Karl Levinson, mvp wrote:

> Groan... Thanks for finding this and writing this up, that's pretty cool.
>
> However, by only giving MS two days to fix this, you have not done the
> world
> a favor. Would it have killed you to wait a month or two for MS to
> presumably release a patch?
>
> Your statement that "a [known] security flaw is less dangerous than an
> unknown security hole that can be used by real hackers, swindlers or
> racketeers" is not true, especially if you cannot turn off JavaScript for
> one reason or another. You're only 20, so you don't realize that most
> large enterprises such as governments and banks cannot just "turn off
> Javascript for a month or two," both because it would break needed
> functionality, and because many enterprises cannot test and implement
> changes that quickly or
> that comprehensively. Security researchers in favor of full and immediate
> disclosure as a method of "making the vendor take security more seriously"
> rarely look to see whether their theory is actually working out that way.
>
> Microsoft always takes at least 45 days to test and release a patch. Your
> publishing this vuln will do nothing to speed up MS releasing a patch.
> And if it did, that would probably be a bad thing, because it increases
> the risk that their patch might break something for someone running a
> non-English
> version of Windows in say, Belgium. That kind of problem happened two or
> three times in 2004.
>
>
> "Pascal Vyncke" <development-REMOVE-THIS-NOSPAM@seniorennet.be> wrote in
> message news:PyQpe.114729$E46.6804526@phobos.telenet-ops.be...
>> Hi,
>>y
>> I discovered a NEW security hole / exploit in IE6 with SP2 and all the
>> latest security patches.
>>
>> Overview of the exploit:
>>
>> * Bug for all Microsoft Internet Explorer users
>> * Can be abused by hackers to run harmful JavaScript code and can be
> abused
>> to mislead existing protection against harmful JavaScript code, like
>> software from Norton, McAfee,.
>> * Can be abused to mislead the search engines Google, MSN, Yahoo,
>> AltaVista,.
>> * Unpleasant for JavaScript programmers
>>
>> All the information about the NEW horrible bug (info, exploit,.) , see
>> the page
>>
>
http://research.seniorennet.be/Techresearch/Javascript_security_flaw_bug_ie_6/security_flaw_bug_javascript_ie_6_internet_explorer.php
>>
>> Best regards,
>> Pascal Vyncke
>>
>>

A couple of things I disagree with you on. Most companies have some sort of
http proxy/application layer filter. I simply limited the sites that our
users can use javascript to (company related, company partners, etc). I
created this list from the last time IE had javascript "issues". Second,
saying Microsoft needs 45 days to fix this is a load of cow "flap". That is
nothing more than an excuse. Microsoft should have a shorter window than
that. They are the riches company on the Planet, so hire more people. That
"window" should not be larger than a week....

Simply, hiding the fact that this exists is lame at best. If this guy
discovered it who is to say it has not been known for some time by people
who are currently using the technique? Really, this technique could have
been in use for months or more already....

Posting allows people like my self to take immediate action to at least
limit this gapping hole, yet again, in a MS product. Security by obscurity
never works....

-Im

Relevant Pages

  • RE: PAWS security vulnerability
    ... If you don't have the ability to test out the patch then LEARN! ... is a political security hole, ... FreeBSD source - but I did not write the networking code in FreeBSD and ... have no idea if it is correct, or if OpenBSD even wrote the fix properly, ...
    (freebsd-questions)
  • Re: Sun Alert Pack
    ... > The problem I see is is that if a security patch is issued and I ... a list of actually needed patch revisions. ... be a simple fix to actually use that information, ...
    (comp.unix.solaris)
  • Re: OE conflict with recent security patch and general
    ... It seems there is no straightforward fix to the problem this security ... It does seem odd that a MS security patch ... if/when you have managed to get back into the newsgroups. ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: patchdiag
    ... > understand all the security patches that are not up to date. ... For instance there might be a patch that addresses LDAP clients. ... The -06 release might fix a different bug that crops up in very few ...
    (comp.unix.solaris)
  • Re: JS and security.
    ... > According to a financial website I tried to access without JavaScript: ... > How would using JS improve security? ... the main browser window will not contain the history of the child window. ...
    (comp.lang.javascript)