Re: Download.ject - commentary - LONG

From: serverguy (nospam_at_hatespam.com)
Date: 07/07/04 

Date: Wed, 7 Jul 2004 12:18:46 -0400

Yes, it says the changes "will protect customers against the immediate
reported threats," and that's great! But the vulnerability remains and
other threats that attack that vulnerability but that are different from the
"immediate threats" could arrive on the scene any day now. Microsoft does
not claim to have an actual "fix" for the vulnerability which was reported
months ago, except in SP2 which has not yet been released in production.
>From the tone of the press release "...is working to provide..." and "Later
this summer...." are phrases suggesting they are only just reacting to the
issue now. That's just not good enough. They need to speed things up and
fix reported holes BEFORE they are breached.

Meanwhile, the Russian server that was "shut down" was probably just moved
elsewhere and the coders are busy working around the workaround.

Please don't take this the wrong way. I think Microsoft has been more
responsive in recent years to security. The Blaster issue was patched by
Microsoft before the worm hit, so it was really up to users to protect
themselves. This time, the hole was NOT closed in time and the threat has
already done it's damage with more threats possible. Due to this, I am
merely suggesting that one should no longer rely on Microsoft to fix it's
security problems in a timely manner, and individuals should seek their own
solutions if necessary. I work under the auspices of Hipaa and many other
folks like me have other genuine security concerns these days that will need
real solutions from multiple resources.

"Torgeir Bakken (MVP)" <Torgeir.Bakken-spam@hydro.com> wrote in message
news:uBkinRDZEHA.1152@TK2MSFTNGP09.phx.gbl...
> serverguy wrote:
>
> > (snip)
> > My personal belief is that this is NOT in fact a "patch" or "fix" for
the
> > vulnerability in question, but instead is just a partial workaround.
Here
> > is Microsoft's page related to the issue:
> > http://www.microsoft.com/security/incident/Download_Ject.mspx
> >
> > Note that for both home users and corporate workstations, they recommend
> > making manual adjustments to settings to "increase browsing safety" and
> > "increase security of the local machine zone in Internet Explorer" in
> > ADDITION to applying the 870669 patch. This suggests to me that the
little
> > reg hack which the patch applies does little to address the
vulnerability,
> > and it is really up to end-users and admins to protect their systems
with
> > the manual steps listed here:
> > http://www.microsoft.com/security/incident/settings.mspx
> > and here:
> > http://support.microsoft.com/?kbid=871277
> >
> > Granted these are known security best practices related to Internet
> > Explorer; however, I find it odd that MS is not simply releasing a
fixall
> > patch for this issue - especially since it claims that it HAS FIXED this
> > issue with Windows XP SP2.
> > (snip)
> Hi
>
> Note the following from a recent Microsoft press release:
>
> Microsoft Statement Regarding Configuration Change to Windows in
> Response to Download.Ject Security Issue
> http://www.microsoft.com/presspass/press/2004/jul04/07-02configchange.asp
>
> <quote>
> In addition to this configuration change, which will protect customers
> against the immediate reported threats, Microsoft is working to provide
> a series of security updates to Internet Explorer in coming weeks that
> will provide additional protections for our customers.
>
> Later this summer, Microsoft will release Windows XP Service Pack 2,
> which includes the most up-to-date network, Web browsing and e-mail
> features designed to help protect against malicious attacks and reduce
> unwanted content and downloads. A comprehensive update for all
> supported versions of Internet Explorer will be released once it has
> been thoroughly tested and found to be effective across a wide variety
> of supported versions and configurations of Internet Explorer.
> </quote>
>
>
> --
> torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
> Administration scripting examples and an ONLINE version of
> the 1328 page Scripting Guide:
> http://www.microsoft.com/technet/community/scriptcenter/default.mspx