Re: New IE security hole
From: Karl Levinson, mvp (levinson_k_at_despammed.com)
Date: 06/11/05
- Next message: Gud4alaf: "server 2003 administrator password"
- Previous message: Installer: "Windows Firewall off and indicates on"
- In reply to: Imhotep: "Re: New IE security hole"
- Next in thread: Imhotep: "Re: New IE security hole"
- Reply: Imhotep: "Re: New IE security hole"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 11 Jun 2005 00:03:50 -0400
"Imhotep" <NoSpam@NoThanks.com> wrote in message
news:2r5qe.9589$tr.7589@fed1read03...
> A couple of things I disagree with you on. Most companies have some sort
of
> http proxy/application layer filter.
I feel it's not quite that simple... Many large enterprises have proxy
servers but have unknown numbers of users and apps that require JavaScript,
while many small businesses don't have proxy servers. Most home users don't
read security bulletins to make manual changes. Many of them don't even
enable automatic updates. I would say the amount of total Internet users
behind proxies is probably less than 50%, and of those, the number that can
safely disable JavaScript and do it in less than 30 days is much lower than
50%.
> I simply limited the sites that our
> users can use javascript to (company related, company partners, etc). I
> created this list from the last time IE had javascript "issues". Second,
> saying Microsoft needs 45 days to fix this is a load of cow "flap". That
is
> nothing more than an excuse. Microsoft should have a shorter window than
> that. They are the riches company on the Planet, so hire more people. That
> "window" should not be larger than a week....
You are wrong. People are cheap, much cheaper than bad press and lost
customers. If it was as simple as adding more people, MS would have already
done it. A million paid MS employees doing QA testing still can't replicate
all the hardware and software applications being used by real people in the
real world. The reality we face is that it has taken MS 45 days for every
single patch for the past 2 years. Even then, MS had to re-release two or
three of their patches from 2004 due to problems, twice due to problems with
language localized versions of Windows. MS knows this is a problem and can
probably make this better, but only with future versions of Windows.
> Simply, hiding the fact that this exists is lame at best. If this guy
> discovered it who is to say it has not been known for some time by people
> who are currently using the technique? Really, this technique could have
> been in use for months or more already....
It hasn't, but if it has, another month isn't that big a deal.
> Posting allows people like my self to take immediate action to at least
> limit this gapping hole, yet again, in a MS product.
Unfortunately, "people like yourself" who can secure yourself against this
is far far less than 50% of the MS customer base, and is close to 0% of home
users.
> Security by obscurity never works....
That's just not true. You should never rely solely on security by
obscurity, but obscurity is not useless. Obscurity can and does still add
security. The book "Writing Secure Code v2" backs this up.
Releasing security bulletins to the general public when there is no
practical solution does nothing but create panic, which is not useful. If
this was a vague terrorism warning with no good solution, instead of a
computer security warning with no good solution, this fact would be more
obvious.
Besides, if you really wanted to make the world safer by letting the world
know, the best way to do this would be to let MS announce it where all
interested parties know where to look. Announcing it here in Usenet and in
a personal web page means that relatively few people will read it, and the
world is less safe, not more safe. MS would also have tested the
workarounds and given a threat level assessment that help people know
seriously to take this.
- Next message: Gud4alaf: "server 2003 administrator password"
- Previous message: Installer: "Windows Firewall off and indicates on"
- In reply to: Imhotep: "Re: New IE security hole"
- Next in thread: Imhotep: "Re: New IE security hole"
- Reply: Imhotep: "Re: New IE security hole"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
