Re: Where is the notificiation about IE zero day vulnerablity?

From: Shenan Stanley (newshelper_at_gmail.com)
Date: 11/28/05 

Date: Mon, 28 Nov 2005 01:04:39 -0600

Imhotep wrote:
> When Firefox's IDN security flaw came out, there were articles all
> over the popular web sites (CNN, MSNBC, Yahoo, etc). Now, there
> was a zero day fix (really a work around more than a fix) that
> protected your Firefox web client. This was about 8 months or so
> ago.
>
> Now, 7 days ago, someone posted proof of concept code illustrating
> how you can do a remote code execution attack against IE from any
> web site.
>
> Now, my question is a simple one. Why have none, as of today, of
> the popular web site written a thing about it. It is much more
> serious. The code is all over the 'net and it can be run from any
> web server. In short, this is a serious a security hole as there
> can be. So why no press????
>
> Reference articles:
> http://yahoo.pcworld.com/yahoo/article/0,aid,122678,00.asp

Shenan Stanley wrote:
> FireFox was the sensational *new* (to the unknowing public) way of
> protecting yourself against the dangers of the web. Everyone was
> talking about how it was poised to be the one browser to finally
> beat Microsoft at its own game. It was the hot-topic, the
> news-flashable item in technology. It was because it was the
> "hot-button" topic it was (Firefox, not the exploit) that the
> exploit was covered.
>
> Now - Internet Explorer has been around forever. It is not the
> "hot-button"
> topic that FireFox was. Therefore - not a story in the bedazzled
> brains of
> the larger news-covering world. When it actually is exploited and
> causes millions of dollars of damage to a large corporation - it
> will be news AFTER the fact because of WHOM it hurt - not because
> it exists.
>
> That's why no press for this and why there was press for FireFox
> at the time.. There is no mystery to it.
> Sensationalism gets ratings. Ratings gets advertisers.
> Advertisers give money.
>
> Now you might (and I think you have) say that Microsoft could pay
> the large
> news entities off to not talk.. Sure - I guess it could happen.
> I cannot say for certain it has or hasn't and likely very few
> people could with definitive facts to back it up. Although -
> Yahoo, CNN, MSNBC.. None of them are exactly hurting for money..
> Sure - their greed may lead them to more and more or that reporter
> may be easily quietened with less money than the whole corporation
> - but again - no one can say for certain it has/has not happened
> or is/is not happening - nor would they if the paycheck is good
> enough.
>
> You could say Microsoft paid everyone to expose the FireFox thing
> - but seeing how it was handled, I would think that either did or
> would have blown up in their faces and if there was even a chance
> it would - what a waste of resources for a company to make and
> still have the intelligence to be in business - in other words -
> it is doubtful anyone with a clue would have taken the chance on
> such a thing as that - given the coverage could so easily come out
> either way (good or bad - good for the opposing side if it was
> fixed quickly, bad for the opposing side if it was not.)
>
> As for the code.. Yep - it is serious, but again - not sensational
> until it
> is used and harms someone worth chatting about to Joe Schmoe.
> People are very select about what they hear, see and read. Some
> only listen/read/watch
> the sports, some only the local news and others the weather. They
> might perk up if someone said, "GM reported an estimated $16
> million in damages due to a computer virus that gained access to
> their computer systems through a known vulnerability in the
> Internet Explorer web browser that is installed and still
> vulnerable on millions of systems - including most home systems -
> today. Microsoft Corporation refused to comment at this time." -
> but they aren't going to give much thought to, "Did you know your
> Internet Explorer is vulnerable to attacks that could allow anyone
> to run anything they want on your computer right now?" (They'd
> have flipped to see the scores on a competing station by "Internet
> Explorer".)
>
> Not a very bright view of the world - but I have seen it over and
> over.

Imhotep wrote:
> So you are saying that it got coverage because the news agencies
> were trying to shoot down the browser, with respect to it's
> perceived security status? Here is my problem with that. That is
> something that Microsoft or Firefox (mozilla foundation) cares
> about (Shooting down a preception) not a news agency...after all
> why would Yahoo, CNN or MSNBC care which browser was perceived at
> being more secure. Even if they did, why would they want to "shoot
> down" either of the the browsers? Seems to political in nature....

I was saying "FireFox was already news", no one was trying to "shoot down"
anything - just continuing the coverage if you will. As I said - it was
already in the news that it had been released, millions (or whatever) of
downloads since it's full release and that all the "technology experts" were
flaunting it as "more secure" and "easier to use" and "all around better
than Internet Explorer."

Then - in the midst of all that still being said - problem! Since they were
already reporting it - report the problem as well.. That's sensational -
maybe all the "experts" were wrong. ("Oh no, how will FireFox recover, how
could so many be wrong.. The Humanity!" - you know - more sensationalism to
a story that was just about dying - but this will give it new life!) But
then it turned around and got fixed - in record time! "Holy crap.. Oh
well - there goes that extra burst - back to dull dreary reporting."

Yahoo, CNN, MSNBC do NOT care which browser is more secure (their tech
support might, but that's another story) - but they do care about
sensationalism.. And for most reporters (news reporters - not the kind you
find on Tech TV - but those who report news such as war, disease, car
crashes, crime, weather damage and such) - Internet Explorer and/or FireFox
is "that thingy they click on to get to that page of stuff on the
'InterWeb'." Just like every other pure user you or I support - a tool to
do their job - a pain in the *** when things go wrong and no interest in
why that might happen. So - reporting on it is.. second fiddle. Unless
they can coin a phrase with it like, "Browser Wars" or something.. Then
they get a little more interest and so does the general public.

Why is it still being covered? Hopes that the "Browser Wars" heat up would
be my guess. Sensational News - no matter if it is about the turkey farm
where the turkey's held a mutiny and killed the farmer or which browser is
better/more secure does not matter to the agencies - they are into reporting
what gets them ratings - the Firefox thing is just "hanging on" (IMHO) and
no one has interest enough (of the 'big boys') to actually research it and
its competitor further right now - the shortcuts for the Firefox browser are
already in place - easy enough to check them daily.

Again - no one is "shooting down" anything - at least not in my mind. They
aren't supporting anything either. They are just waiting for something to
happen that will get them the extra 1/2 point or whatever. Who knows -
perhaps some of them did a search just now and picked up your question - now
they know there is a vulnerability and now they are deciding whether to
report it now or wait for the bigger story to break when the big company
gets hit because of a known flaw. *grin*

I have more cynicism towards the news agency of the world than I have for
any technology company. 

-- 
Shenan Stanley
     MS-MVP
-- 
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html