Re: Where is the IE zero day exploit in the news...
From: Karl Levinson, mvp (levinson_k_at_despammed.com)
Date: 11/28/05
- Next message: fluidly unsure: "Re: Where is the notificiation about IE zero day vulnerablity?"
- Previous message: Shenan Stanley: "Re: Where is the notificiation about IE zero day vulnerablity?"
- In reply to: Imhotep: "Re: Where is the IE zero day exploit in the news..."
- Next in thread: Unruh: "Re: Where is the IE zero day exploit in the news..."
- Reply: Unruh: "Re: Where is the IE zero day exploit in the news..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 28 Nov 2005 00:11:47 -0500
"Imhotep" <imhotep@nospam.com> wrote in message
news:l4SdndJ7tuWc0hfenZ2dnUVZ_tidnZ2d@adelphia.com...
> >>This vulnerability affects Firefox as well. So it's not really an "IE
> >>vuln."
> >
> >>http://xforce.iss.net/xforce/xfdb/20783
> >
> > From that page
> > "It is reported that this vulnerability could be exploited to cause a
> > denial of service on Firefox and Opera Web browsers, but remote code
> > execution is not possible."
> >
> > I would say that remote code execution is far worse than crashing the
> > browser.
>
> ...thanks. That is exactly what I have been trying to say...
No, what you've been trying to say is that Microsoft was severely in error
and should not have rated this as "low" when it was "only a denial of
service." But that's the opposite of what the two of you are saying now
when considering the exact same vulnerability affecting Firefox, that it's
OK to minimize the Firefox vuln as being "just a denial of service." There
are two different viewpoints being expressed here that are inconsistent with
each other. If the Firefox vuln is "only a denial of service," then the IE
vuln has only been a known remote code execution vuln for a week or so, not
six months.
Microsoft is being faulted here for not notifying customers [although it
has]. I couldn't find anything on the Firefox web site about this. Not
only haven't they patched this, they haven't notified customers like
Microsoft has. Presumably they're still testing and reproducing the
vulnerability. Which goes back to what I was saying about not assuming that
Microsoft can necessarily always repro a vuln overnight when a finder
refuses to give them all the details.
- Next message: fluidly unsure: "Re: Where is the notificiation about IE zero day vulnerablity?"
- Previous message: Shenan Stanley: "Re: Where is the notificiation about IE zero day vulnerablity?"
- In reply to: Imhotep: "Re: Where is the IE zero day exploit in the news..."
- Next in thread: Unruh: "Re: Where is the IE zero day exploit in the news..."
- Reply: Unruh: "Re: Where is the IE zero day exploit in the news..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
