Re: New IE security hole

From: Michael Evanchik (MichaelEvanchik_at_discussions.microsoft.com)
Date: 06/10/05


Date: Thu, 9 Jun 2005 17:52:02 -0700

this doesnt do anything critical at all

www.michaelevanchik.com

"Imhotep" wrote:

> Karl Levinson, mvp wrote:
>
> > Groan... Thanks for finding this and writing this up, that's pretty cool.
> >
> > However, by only giving MS two days to fix this, you have not done the
> > world
> > a favor. Would it have killed you to wait a month or two for MS to
> > presumably release a patch?
> >
> > Your statement that "a [known] security flaw is less dangerous than an
> > unknown security hole that can be used by real hackers, swindlers or
> > racketeers" is not true, especially if you cannot turn off JavaScript for
> > one reason or another. You're only 20, so you don't realize that most
> > large enterprises such as governments and banks cannot just "turn off
> > Javascript for a month or two," both because it would break needed
> > functionality, and because many enterprises cannot test and implement
> > changes that quickly or
> > that comprehensively. Security researchers in favor of full and immediate
> > disclosure as a method of "making the vendor take security more seriously"
> > rarely look to see whether their theory is actually working out that way.
> >
> > Microsoft always takes at least 45 days to test and release a patch. Your
> > publishing this vuln will do nothing to speed up MS releasing a patch.
> > And if it did, that would probably be a bad thing, because it increases
> > the risk that their patch might break something for someone running a
> > non-English
> > version of Windows in say, Belgium. That kind of problem happened two or
> > three times in 2004.
> >
> >
> > "Pascal Vyncke" <development-REMOVE-THIS-NOSPAM@seniorennet.be> wrote in
> > message news:PyQpe.114729$E46.6804526@phobos.telenet-ops.be...
> >> Hi,
> >>y
> >> I discovered a NEW security hole / exploit in IE6 with SP2 and all the
> >> latest security patches.
> >>
> >> Overview of the exploit:
> >>
> >> * Bug for all Microsoft Internet Explorer users
> >> * Can be abused by hackers to run harmful JavaScript code and can be
> > abused
> >> to mislead existing protection against harmful JavaScript code, like
> >> software from Norton, McAfee,.
> >> * Can be abused to mislead the search engines Google, MSN, Yahoo,
> >> AltaVista,.
> >> * Unpleasant for JavaScript programmers
> >>
> >> All the information about the NEW horrible bug (info, exploit,.) , see
> >> the page
> >>
> >
> http://research.seniorennet.be/Techresearch/Javascript_security_flaw_bug_ie_6/security_flaw_bug_javascript_ie_6_internet_explorer.php
> >>
> >> Best regards,
> >> Pascal Vyncke
> >>
> >>
>
> A couple of things I disagree with you on. Most companies have some sort of
> http proxy/application layer filter. I simply limited the sites that our
> users can use javascript to (company related, company partners, etc). I
> created this list from the last time IE had javascript "issues". Second,
> saying Microsoft needs 45 days to fix this is a load of cow "flap". That is
> nothing more than an excuse. Microsoft should have a shorter window than
> that. They are the riches company on the Planet, so hire more people. That
> "window" should not be larger than a week....
>
> Simply, hiding the fact that this exists is lame at best. If this guy
> discovered it who is to say it has not been known for some time by people
> who are currently using the technique? Really, this technique could have
> been in use for months or more already....
>
> Posting allows people like my self to take immediate action to at least
> limit this gapping hole, yet again, in a MS product. Security by obscurity
> never works....
>
> -Im
>



Relevant Pages