Re: Download.ject - commentary - LONG

From: BeamGuy (nobody_at_SPAM.com)
Date: 07/07/04


Date: Wed, 7 Jul 2004 11:35:15 -0400


"serverguy" <nospam@hatespam.com> wrote in message news:u8LpSdCZEHA.3988@tk2msftngp13.phx.gbl...
> Ok, I am still a bit confused, maybe someone can enlighten me.
>
> First, some background info:
> http://www.internetnews.com/security/article.php/3374251
>
> There's more. This vulnerability is still unpatched per the following
> resources:
> http://www.kb.cert.org/vuls/id/713878
> http://xforce.iss.net/xforce/xfdb/16361
>
> Today I read what appears to be a misguided article regarding the KB870669
> patch recently released by Microsoft. Here is the article:
> http://news.com.com/2010-1009-5256301.html?tag=nefd.acpro
> (this guy is an Executive Editor???) I will try to explain below why I
> think it is misguided.
>
> My personal belief is that this is NOT in fact a "patch" or "fix" for the
> vulnerability in question, but instead is just a partial workaround. Here
> is Microsoft's page related to the issue:
> http://www.microsoft.com/security/incident/Download_Ject.mspx
>
> Note that for both home users and corporate workstations, they recommend
> making manual adjustments to settings to "increase browsing safety" and
> "increase security of the local machine zone in Internet Explorer" in
> ADDITION to applying the 870669 patch. This suggests to me that the little
> reg hack which the patch applies does little to address the vulnerability,
> and it is really up to end-users and admins to protect their systems with
> the manual steps listed here:
> http://www.microsoft.com/security/incident/settings.mspx
> and here:
> http://support.microsoft.com/?kbid=871277
>
> Granted these are known security best practices related to Internet
> Explorer; however, I find it odd that MS is not simply releasing a fixall
> patch for this issue - especially since it claims that it HAS FIXED this
> issue with Windows XP SP2.
>
> Also, I find it silly that technical writers are not more careful in their
> research and understanding of these security issues. Mr. Berlind, in the
> news.com article above, is making it sound as if 870669 is a patch and all
> you need to do is go get it. He complains that he could not get it fast
> enough, but he makes no effort to examine the patch itself to see if it
> truly addresses the problem. He just assumes Microsoft will take care of
> him, eventually.
>
> I am not so convinced. Now, we are all being warned that IE simply cannot
> be trusted anymore:
> http://www.internetnews.com/security/article.php/3374931
>
> So, in keeping an open mind, and seeing the pendulum now swinging back in
> the other direction, away from Internet Explorer as the dominant browser, we
> must all begin looking at the alternatives. As a network admin with
> responsibilities including the security of over 1000 Windows computers and
> several hundred servers, I am facing the daunting task of deciding to deploy
> "workarounds," reg hacks, policies, and untold future "patches" to my users
> in order to keep them safe while using IE and pray that it is enough and
> that our virus protection and firewall will take care of the rest, or deploy
> a new default browser to users and hope that it will be safe enough.
>
> I am looking at Mozilla Firefox, but I have not found quality test results
> related to security. Sure, many people have said it is more secure than IE,
> but you would need to prove it to me. Same goes for any other browser out
> there. Can anyone point me to a resource which delves into the security of
> alternative browsers? I am extremely hesitant about Mozilla due to the open
> source and various "usability" bugs that I have already found. If the code
> is wide open, what is stopping it from being vulnerable to hackers? As for
> Opera, not sure I could convince management to buy it when there are free
> alternatives. Then there's the problem of all the various corporate web
> apps in use that only support IE, making it the lame duck browser, if you
> will. So I need lots of ammo to shoot that duck out of the sky.
>
> The new browser war is here, commence firing!!
>
>
-------------------------------------------

Let me see if I can create a story here that makes sense. I'm sure the experts
will correct everything I say that is wrong - which is likely most of what I say.

1) The people who write viruses and break into your computer to steal credit
information or turn them into spambots do not find the holes in IE, windows,
linux or any other OS themselves. They for the most part find them published
on the web in places like this:
http://www.securityfocus.com/bid/10514/exploit/

2) These exploits are found by hackers and published on the web out of a
sense of public service - the theory is that if exploits are found and plugged then
some organization that has the resources to find them and exploit them
themselves, like for instance the secret service arm of a hostile foreign
government, will not find them and exploit them without detection. It is these
guys that exploit it without detection that are the scariest. The latest exploit was
discovered 10 months ago, and might have been patched last week - but
reports abound that it is still not patched.

3) The way the game is supposed to be played is that once the exploits are
discovered the software manufacturer is supposed to plug the holes before the
person who really wants to exploit the bug has a chance to figure out how
to use the exploit to write their virus, spambot, or keylogger.

4) What we all are peeved about is that the folks writing IE don't appear to
be playing the game by these rules - instead they refuse to plug the wholes and
tell us that anyone with a comprimized browser got it on their own from visiting
a site they should not have.

5) Now it turns out that even the sites of the Fortune 500 companies are some
of those sites that you should not visit with IE.

--------

It could be that mozilla has more security holes than IE, that is not important.
What is important is that we all feel they will play the game by these rules and
patch the holes when they are found and documented, before they can be
exploited. What we are betting on is the character of an orginization, and we
all expect that the open source generation might respond to change a little more
nimbly than what has already been. It is, however, impossible to predict the
future; but we can learn from the past.



Relevant Pages

  • Re: Its not that simple... [Was: Re: [Full-disclosure] Disney Down?]
    ... PnP is not a show stopper when it comes to patch compatibility testing ... "Successful exploitation of this vulnerability could be leveraged to ... "If it had been International Paper or some company like ... > to take security matters more seriously. ...
    (Full-Disclosure)
  • Re: NT4 patch for MS00-084??
    ... there is no such patch to be found on the technet security ... > "Microsoft has released a patch that eliminates a security ... > vulnerability in Microsoft® Indexing Services for Windows 2000. ...
    (microsoft.public.security)
  • Re: CGi parameters lost
    ... installed that latest IE cumulative security upgrade patch [Released early ... We have found that a side effect of this patch is sporadic posts ... the browser immediately after clicking the button. ... Difficulties with Internet Explorer are also likely caused by Microsoft's ...
    (comp.lang.perl.misc)
  • Microsoft Security Bulletin MS01-044
    ... Subject: Microsoft Security Bulletin MS01-044 ... 15 August 2001 Cumulative Patch for IIS ... - A denial of service vulnerability that could enable an attacker ...
    (Bugtraq)
  • Download.ject - commentary - LONG
    ... vulnerability in question, but instead is just a partial workaround. ... ADDITION to applying the 870669 patch. ... Granted these are known security best practices related to Internet ... a new default browser to users and hope that it will be safe enough. ...
    (microsoft.public.win2000.security)