Re: New IE security hole
From: Michael Evanchik (MichaelEvanchik_at_discussions.microsoft.com)
Date: Thu, 9 Jun 2005 17:52:02 -0700
this doesnt do anything critical at all
> Karl Levinson, mvp wrote:
> > Groan... Thanks for finding this and writing this up, that's pretty cool.
> > However, by only giving MS two days to fix this, you have not done the
> > world
> > a favor. Would it have killed you to wait a month or two for MS to
> > presumably release a patch?
> > Your statement that "a [known] security flaw is less dangerous than an
> > unknown security hole that can be used by real hackers, swindlers or
> > one reason or another. You're only 20, so you don't realize that most
> > large enterprises such as governments and banks cannot just "turn off
> > functionality, and because many enterprises cannot test and implement
> > changes that quickly or
> > that comprehensively. Security researchers in favor of full and immediate
> > disclosure as a method of "making the vendor take security more seriously"
> > rarely look to see whether their theory is actually working out that way.
> > Microsoft always takes at least 45 days to test and release a patch. Your
> > publishing this vuln will do nothing to speed up MS releasing a patch.
> > And if it did, that would probably be a bad thing, because it increases
> > the risk that their patch might break something for someone running a
> > non-English
> > version of Windows in say, Belgium. That kind of problem happened two or
> > three times in 2004.
> > "Pascal Vyncke" <development-REMOVE-THIS-NOSPAM@seniorennet.be> wrote in
> > message news:PyQpe.114729$E46.firstname.lastname@example.org...
> >> Hi,
> >> I discovered a NEW security hole / exploit in IE6 with SP2 and all the
> >> latest security patches.
> >> Overview of the exploit:
> >> * Bug for all Microsoft Internet Explorer users
> > abused
> >> software from Norton, McAfee,.
> >> * Can be abused to mislead the search engines Google, MSN, Yahoo,
> >> AltaVista,.
> >> All the information about the NEW horrible bug (info, exploit,.) , see
> >> the page
> >> Best regards,
> >> Pascal Vyncke
> A couple of things I disagree with you on. Most companies have some sort of
> http proxy/application layer filter. I simply limited the sites that our
> saying Microsoft needs 45 days to fix this is a load of cow "flap". That is
> nothing more than an excuse. Microsoft should have a shorter window than
> that. They are the riches company on the Planet, so hire more people. That
> "window" should not be larger than a week....
> Simply, hiding the fact that this exists is lame at best. If this guy
> discovered it who is to say it has not been known for some time by people
> who are currently using the technique? Really, this technique could have
> been in use for months or more already....
> Posting allows people like my self to take immediate action to at least
> limit this gapping hole, yet again, in a MS product. Security by obscurity
> never works....