Re: Microsoft Zero Day security holes being exploited
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Sat, 23 Sep 2006 18:37:56 -0700
"imhotep" <imhotep@xxxxxxxxxx> wrote in message
news:VO6dnaPHrY_W7ojYnZ2dnUVZ_r6dnZ2d@xxxxxxxxxxxxxxx
Replying to the MS blog
http://blogs.technet.com/msrc/archive/2006/09/22/458266.aspx
"Attacks remain limited. There?s been some confusion about that, that
somehow attacks are dramatic and widespread."
It has been said that ATTACKS ARE GROWING. This is the concern. Maybe
right
now there are limited sites that host these attacks but, what does
tomorrow
bring?
"Of course, that could change at any moment, and regardless of how many
people are being attacked..."
This is the point.
"So right now we're looking at where we hit that quality bar and if that
occurs prior to the monthly cycle then we will release."
But wait. MS can release the DRM patch in three days but you are saying
that
your customers might have to wait up to a month? Why is it a third party
had a patch out in a couple of days and you can't???
Sadly, I do not believe "confusion" is the issue here. The real issue is,
yet again, MS customers are taking the hit for an insecure platform. IT
professionals are taking the hit for an insecure platform. However, if you
are the Entertainment Industry, MS will take care of you by releasing a
DRM
patch in record time (3 days). Really, one must question where Microsoft's
priorities are....
Imhotep
Actually, we are just seeing Imhotep's revelation of predispositions
and inability to comprehend the distinction between QA on a patch
that impacts a top level application capability with fair limited use as
compared to an also lightly used code but that is deeply embedded
in the platform and has had time for potential side-effect to accrete
around it.
Frankly, with the simple workarounds available, with the apparently
low exploitation, I am quite happy to not use the third-party patch
and to wait for a regression tested release by the MSRC.
Roger
PS. What is with your habit of always setting followups to the
IE sec newsgroup anyway ??
Bill Sanderson MVP wrote:
And here's what Microsoft has to say:
http://blogs.technet.com/msrc/archive/2006/09/22/458266.aspx
"imhotep" <imhotep@xxxxxxxxxx> wrote in message
news:sNidnVbv5o2ZA4nYnZ2dnUVZ_rGdnZ2d@xxxxxxxxxxxxxxx
Microsoft Zero Day security holes being exploited
"Microsoft has issued warnings about a serious flaw in Internet Explorer
that allows attackers to hijack a PC via the popular browser
Researcher Adam Thomas uncovered the exploit which revolves around the
way that the Internet Explorer browser handles a particular form of
graphics known as vector graphics.
A properly crafted webpage can exploit this problem and install almost
anything they want on the target machine.
Unusable PC
Tests by Sunbelt Software on a Windows machine patched with all the
latest security updates showed attackers installing a huge amount of
spyware and other malicious programs."
http://news.bbc.co.uk/2/hi/technology/5365296.stm
Imhotep
.
- Follow-Ups:
- Re: Microsoft Zero Day security holes being exploited
- From: David H. Lipman
- Re: Microsoft Zero Day security holes being exploited
- References:
- Re: Microsoft Zero Day security holes being exploited
- From: Bill Sanderson MVP
- Re: Microsoft Zero Day security holes being exploited
- Prev by Date: Re: norton live update virus defs problem
- Next by Date: Re: Microsoft Zero Day security holes being exploited
- Previous by thread: Re: Microsoft Zero Day security holes being exploited
- Next by thread: Re: Microsoft Zero Day security holes being exploited
- Index(es):
Relevant Pages
|
