Re: Where is the notificiation about IE zero day vulnerablity?

From: Imhotep (imhotep_at_nospam.com)
Date: 11/28/05 

Date: Mon, 28 Nov 2005 01:41:54 -0500

Shenan Stanley wrote:

> Imhotep wrote:
>> When Firefox's IDN security flaw came out, there were articles all
>> over the popular web sites (CNN, MSNBC, Yahoo, etc). Now, there was
>> a zero day fix (really a work around more than a fix) that
>> protected your Firefox web client. This was about 8 months or so
>> ago.
>>
>> Now, 7 days ago, someone posted proof of concept code illustrating
>> how you can do a remote code execution attack against IE from any
>> web site.
>>
>> Now, my question is a simple one. Why have none, as of today, of
>> the popular web site written a thing about it. It is much more
>> serious. The code is all over the 'net and it can be run from any
>> web server. In short, this is a serious a security hole as there
>> can be. So why no press????
>>
>> Reference articles:
>> http://yahoo.pcworld.com/yahoo/article/0,aid,122678,00.asp
>
> FireFox was the sensational *new* (to the unknowing public) way of
> protecting yourself against the dangers of the web. Everyone was talking
> about how it was poised to be the one browser to finally beat Microsoft at
> its own game. It was the hot-topic, the news-flashable item in
> technology. It was because it was the "hot-button" topic it was (Firefox,
> not the exploit) that the exploit was covered.
>
> Now - Internet Explorer has been around forever. It is not the
> "hot-button"
> topic that FireFox was. Therefore - not a story in the bedazzled brains
> of
> the larger news-covering world. When it actually is exploited and causes
> millions of dollars of damage to a large corporation - it will be news
> AFTER the fact because of WHOM it hurt - not because it exists.
>
> That's why no press for this and why there was press for FireFox at the
> time.. There is no mystery to it.
> Sensationalism gets ratings. Ratings gets advertisers. Advertisers give
> money.
>
> Now you might (and I think you have) say that Microsoft could pay the
> large
> news entities off to not talk.. Sure - I guess it could happen. I cannot
> say for certain it has or hasn't and likely very few people could with
> definitive facts to back it up. Although - Yahoo, CNN, MSNBC.. None of
> them are exactly hurting for money.. Sure - their greed may lead them to
> more and more or that reporter may be easily quietened with less money
> than the whole corporation - but again - no one can say for certain it
> has/has not happened or is/is not happening - nor would they if the
> paycheck is good enough.
>
> You could say Microsoft paid everyone to expose the FireFox thing - but
> seeing how it was handled, I would think that either did or would have
> blown up in their faces and if there was even a chance it would - what a
> waste of resources for a company to make and still have the intelligence
> to be in business - in other words - it is doubtful anyone with a clue
> would have taken the chance on such a thing as that - given the coverage
> could so easily come out either way (good or bad - good for the opposing
> side if it was fixed quickly, bad for the opposing side if it was not.)
>
> As for the code.. Yep - it is serious, but again - not sensational until
> it
> is used and harms someone worth chatting about to Joe Schmoe. People are
> very select about what they hear, see and read. Some only
> listen/read/watch
> the sports, some only the local news and others the weather. They might
> perk up if someone said, "GM reported an estimated $16 million in damages
> due to a computer virus that gained access to their computer systems
> through a known vulnerability in the Internet Explorer web browser that is
> installed and still vulnerable on millions of systems - including most
> home systems -
> today. Microsoft Corporation refused to comment at this time." - but they
> aren't going to give much thought to, "Did you know your Internet Explorer
> is vulnerable to attacks that could allow anyone to run anything they want
> on your computer right now?" (They'd have flipped to see the scores on a
> competing station by "Internet Explorer".)
>
> Not a very bright view of the world - but I have seen it over and over.
>

So you are saying that it got coverage because the news agencies were trying
to shoot down the browser, with respect to it's perceived security status?
Here is my problem with that. That is something that Microsoft or Firefox
(mozilla foundation) cares about (Shooting down a preception) not a news
agency...after all why would Yahoo, CNN or MSNBC care which browser was
perceived at being more secure. Even if they did, why would they want to
"shoot down" either of the the browsers? Seems to political in nature....

Imhotep