Microsoft Zero Day security holes being exploited

Microsoft Zero Day security holes being exploited

"Microsoft has issued warnings about a serious flaw in Internet Explorer
that allows attackers to hijack a PC via the popular browser

Researcher Adam Thomas uncovered the exploit which revolves around the way
that the Internet Explorer browser handles a particular form of graphics
known as vector graphics.

A properly crafted webpage can exploit this problem and install almost
anything they want on the target machine.
Unusable PC

Tests by Sunbelt Software on a Windows machine patched with all the latest
security updates showed attackers installing a huge amount of spyware and
other malicious programs."

http://news.bbc.co.uk/2/hi/technology/5365296.stm

Imhotep

Replying to the MS blog
http://blogs.technet.com/msrc/archiv...22/458266.aspx


"Attacks remain limited. There?s been some confusion about that, that
somehow attacks are dramatic and widespread."

It has been said that ATTACKS ARE GROWING. This is the concern. Maybe right
now there are limited sites that host these attacks but, what does tomorrow
bring?

"Of course, that could change at any moment, and regardless of how many
people are being attacked..."

This is the point.

"So right now we're looking at where we hit that quality bar and if that
occurs prior to the monthly cycle then we will release."

But wait. MS can release the DRM patch in three days but you are saying that
your customers might have to wait up to a month? Why is it a third party
had a patch out in a couple of days and you can't???


Sadly, I do not believe "confusion" is the issue here. The real issue is,
yet again, MS customers are taking the hit for an insecure platform. IT
professionals are taking the hit for an insecure platform. However, if you
are the Entertainment Industry, MS will take care of you by releasing a DRM
patch in record time (3 days). Really, one must question where Microsoft's
priorities are....

Imhotep


Bill Sanderson MVP wrote:

And here's what Microsoft has to say:

http://blogs.technet.com/msrc/archiv...22/458266.aspx

"imhotep" wrote in message
...
Microsoft Zero Day security holes being exploited

"Microsoft has issued warnings about a serious flaw in Internet Explorer
that allows attackers to hijack a PC via the popular browser

Researcher Adam Thomas uncovered the exploit which revolves around the
way that the Internet Explorer browser handles a particular form of
graphics known as vector graphics.

A properly crafted webpage can exploit this problem and install almost
anything they want on the target machine.
Unusable PC

Tests by Sunbelt Software on a Windows machine patched with all the
latest security updates showed attackers installing a huge amount of
spyware and other malicious programs."

http://news.bbc.co.uk/2/hi/technology/5365296.stm

Imhotep

Roger Abell [MVP] wrote:

"imhotep" wrote in message
...
Replying to the MS blog
http://blogs.technet.com/msrc/archiv...22/458266.aspx


"Attacks remain limited. There?s been some confusion about that, that
somehow attacks are dramatic and widespread."

It has been said that ATTACKS ARE GROWING. This is the concern. Maybe
right
now there are limited sites that host these attacks but, what does
tomorrow
bring?

"Of course, that could change at any moment, and regardless of how many
people are being attacked..."

This is the point.

"So right now we're looking at where we hit that quality bar and if that
occurs prior to the monthly cycle then we will release."

But wait. MS can release the DRM patch in three days but you are saying
that
your customers might have to wait up to a month? Why is it a third party
had a patch out in a couple of days and you can't???


Sadly, I do not believe "confusion" is the issue here. The real issue is,
yet again, MS customers are taking the hit for an insecure platform. IT
professionals are taking the hit for an insecure platform. However, if
you are the Entertainment Industry, MS will take care of you by releasing
a DRM
patch in record time (3 days). Really, one must question where
Microsoft's priorities are....

Imhotep


Actually, we are just seeing Imhotep's revelation of predispositions
and inability to comprehend the distinction between QA on a patch
that impacts a top level application capability with fair limited use as
compared to an also lightly used code but that is deeply embedded
in the platform and has had time for potential side-effect to accrete
around it.

No actually we are seeing Roger Abell's overly verbose excuses. Yet again.
To think that the World's richest software company can't fix a serious
patch in a reasonable amount of time is inexcusable (not doubt Roger will
try though). To think that a third party can release a patch in 2 days but
the World's richest software company can't is inexcusable. To think that
Microsoft can patch a DRM security hole in a record 2-3 days leads one to
believe that Microsoft's priorities are somewhere other than their users
and that is inexcusable. The fact that Roger Abell is trying to defend the
obvious ineptness of Microsoft is well, hilarious.

Frankly, with the simple workarounds available, with the apparently
low exploitation, I am quite happy to not use the third-party patch
and to wait for a regression tested release by the MSRC.

The simpleset work around being what? Use Firefox? Then we agree. Better
yet, the *best* work around is to ditch Microsoft all together and get an
Apple or Linux PC....

Imhotep

Roger

PS. What is with your habit of always setting followups to the
IE sec newsgroup anyway ??

Bill Sanderson MVP wrote:

And here's what Microsoft has to say:

http://blogs.technet.com/msrc/archiv...22/458266.aspx

"imhotep" wrote in message
...
Microsoft Zero Day security holes being exploited

"Microsoft has issued warnings about a serious flaw in Internet
Explorer that allows attackers to hijack a PC via the popular browser

Researcher Adam Thomas uncovered the exploit which revolves around the
way that the Internet Explorer browser handles a particular form of
graphics known as vector graphics.

A properly crafted webpage can exploit this problem and install almost
anything they want on the target machine.
Unusable PC

Tests by Sunbelt Software on a Windows machine patched with all the
latest security updates showed attackers installing a huge amount of
spyware and other malicious programs."

http://news.bbc.co.uk/2/hi/technology/5365296.stm

Imhotep

"imhotep" wrote in message
...
Roger Abell [MVP] wrote:

"imhotep" wrote in message
...
Replying to the MS blog
http://blogs.technet.com/msrc/archiv...22/458266.aspx


"Attacks remain limited. There?s been some confusion about that, that
somehow attacks are dramatic and widespread."

It has been said that ATTACKS ARE GROWING. This is the concern. Maybe
right
now there are limited sites that host these attacks but, what does
tomorrow
bring?

"Of course, that could change at any moment, and regardless of how many
people are being attacked..."

This is the point.

"So right now we're looking at where we hit that quality bar and if that
occurs prior to the monthly cycle then we will release."

But wait. MS can release the DRM patch in three days but you are saying
that
your customers might have to wait up to a month? Why is it a third party
had a patch out in a couple of days and you can't???


Sadly, I do not believe "confusion" is the issue here. The real issue
is,
yet again, MS customers are taking the hit for an insecure platform. IT
professionals are taking the hit for an insecure platform. However, if
you are the Entertainment Industry, MS will take care of you by
releasing
a DRM
patch in record time (3 days). Really, one must question where
Microsoft's priorities are....

Imhotep


Actually, we are just seeing Imhotep's revelation of predispositions
and inability to comprehend the distinction between QA on a patch
that impacts a top level application capability with fair limited use as
compared to an also lightly used code but that is deeply embedded
in the platform and has had time for potential side-effect to accrete
around it.

No actually we are seeing Roger Abell's overly verbose excuses. Yet again.
To think that the World's richest software company can't fix a serious
patch in a reasonable amount of time is inexcusable (not doubt Roger will
try though). To think that a third party can release a patch in 2 days but
the World's richest software company can't is inexcusable. To think that
Microsoft can patch a DRM security hole in a record 2-3 days leads one to
believe that Microsoft's priorities are somewhere other than their users
and that is inexcusable. The fact that Roger Abell is trying to defend the
obvious ineptness of Microsoft is well, hilarious.


Talk about verbose !!

I am defending nothing.

Now just why do you think that I choose to post a new thread on
this the day that the exploit became public ??
Because it had potential and because the advisory and other available
info provided means for protecting against the threat.

A discussion of a specific threat is NOT the venue to attempt to
discuss other, tangential at best, issues, such as time to delivery
of other fixes, who is in whose bed, etc..

PS. can you not control your newreader and its use of followups?

Frankly, with the simple workarounds available, with the apparently
low exploitation, I am quite happy to not use the third-party patch
and to wait for a regression tested release by the MSRC.

The simpleset work around being what? Use Firefox? Then we agree. Better
yet, the *best* work around is to ditch Microsoft all together and get an
Apple or Linux PC....

Imhotep

Roger

PS. What is with your habit of always setting followups to the
IE sec newsgroup anyway ??

Bill Sanderson MVP wrote:

And here's what Microsoft has to say:

http://blogs.technet.com/msrc/archiv...22/458266.aspx

"imhotep" wrote in message
...
Microsoft Zero Day security holes being exploited

"Microsoft has issued warnings about a serious flaw in Internet
Explorer that allows attackers to hijack a PC via the popular browser

Researcher Adam Thomas uncovered the exploit which revolves around the
way that the Internet Explorer browser handles a particular form of
graphics known as vector graphics.

A properly crafted webpage can exploit this problem and install almost
anything they want on the target machine.
Unusable PC

Tests by Sunbelt Software on a Windows machine patched with all the
latest security updates showed attackers installing a huge amount of
spyware and other malicious programs."

http://news.bbc.co.uk/2/hi/technology/5365296.stm

Imhotep

Roger Abell [MVP] wrote:

"imhotep" wrote in message
...
Roger Abell [MVP] wrote:

"imhotep" wrote in message
...
Replying to the MS blog
http://blogs.technet.com/msrc/archiv...22/458266.aspx


"Attacks remain limited. There?s been some confusion about that, that
somehow attacks are dramatic and widespread."

It has been said that ATTACKS ARE GROWING. This is the concern. Maybe
right
now there are limited sites that host these attacks but, what does
tomorrow
bring?

"Of course, that could change at any moment, and regardless of how many
people are being attacked..."

This is the point.

"So right now we're looking at where we hit that quality bar and if
that occurs prior to the monthly cycle then we will release."

But wait. MS can release the DRM patch in three days but you are saying
that
your customers might have to wait up to a month? Why is it a third
party had a patch out in a couple of days and you can't???


Sadly, I do not believe "confusion" is the issue here. The real issue
is,
yet again, MS customers are taking the hit for an insecure platform. IT
professionals are taking the hit for an insecure platform. However, if
you are the Entertainment Industry, MS will take care of you by
releasing
a DRM
patch in record time (3 days). Really, one must question where
Microsoft's priorities are....

Imhotep


Actually, we are just seeing Imhotep's revelation of predispositions
and inability to comprehend the distinction between QA on a patch
that impacts a top level application capability with fair limited use as
compared to an also lightly used code but that is deeply embedded
in the platform and has had time for potential side-effect to accrete
around it.

No actually we are seeing Roger Abell's overly verbose excuses. Yet
again. To think that the World's richest software company can't fix a
serious patch in a reasonable amount of time is inexcusable (not doubt
Roger will try though). To think that a third party can release a patch
in 2 days but the World's richest software company can't is inexcusable.
To think that Microsoft can patch a DRM security hole in a record 2-3
days leads one to believe that Microsoft's priorities are somewhere other
than their users and that is inexcusable. The fact that Roger Abell is
trying to defend the obvious ineptness of Microsoft is well, hilarious.


Talk about verbose !!

Now just why do you think that I choose to post a new thread on
this the day that the exploit became public ??
Because it had potential and because the advisory and other available
info provided means for protecting against the threat.

....and I thanked you. As you did the right thing.

A discussion of a specific threat is NOT the venue to attempt to
discuss other, tangential at best, issues, such as time to delivery
of other fixes, who is in whose bed, etc..

Time to patch is most definitely relevant to all security holes especially
when the code to do exploit the security hole is all over the 'net...

Now as I stated before, it is shamefull that the DRM patch was 3 days but it
seems that people will have to wait a month (maybe more?) for this security
hole to be patched. Now come on. Even a Pro Microsoft guy like yourself,
must be a little angry at how the Entertainment Industry gets taken cared
of while users and corporations are getting substandard attention....

Imhotep


Frankly, with the simple workarounds available, with the apparently
low exploitation, I am quite happy to not use the third-party patch
and to wait for a regression tested release by the MSRC.

The simpleset work around being what? Use Firefox? Then we agree. Better
yet, the *best* work around is to ditch Microsoft all together and get an
Apple or Linux PC....

Imhotep

Roger

PS. What is with your habit of always setting followups to the
IE sec newsgroup anyway ??

Bill Sanderson MVP wrote:

And here's what Microsoft has to say:

http://blogs.technet.com/msrc/archiv...22/458266.aspx

"imhotep" wrote in message
...
Microsoft Zero Day security holes being exploited

"Microsoft has issued warnings about a serious flaw in Internet
Explorer that allows attackers to hijack a PC via the popular browser

Researcher Adam Thomas uncovered the exploit which revolves around
the way that the Internet Explorer browser handles a particular form
of graphics known as vector graphics.

A properly crafted webpage can exploit this problem and install
almost anything they want on the target machine.
Unusable PC

Tests by Sunbelt Software on a Windows machine patched with all the
latest security updates showed attackers installing a huge amount of
spyware and other malicious programs."

http://news.bbc.co.uk/2/hi/technology/5365296.stm

Imhotep

Karl Levinson, mvp wrote:


"imhotep" wrote in message
...

It has been said that ATTACKS ARE GROWING. This is the concern. Maybe
right
now there are limited sites that host these attacks but, what does
tomorrow
bring?

Is there any reason why you trust these reports more than Microsoft's
reports? Time and time again, Microsoft's assessments have proven more
accurate than the chicken littles in the security industry who profit from
pointless fear.

"Of course, that could change at any moment, and regardless of how many
people are being attacked..."

This is the point.

Browser vulns are highly overrated and overreported. You make the problem
worse by hyping and trumping it up here.

Trend Micro's numbers for people infected worldwide by VML exploits:
zero.


http://www.trendmicro.com/vinfo/viru...S&Perio d=All

This is entirely consistent with what we know about the number of people
infected by Download.ject and Qhosts, two other similar browser vulns.


"So right now we're looking at where we hit that quality bar and if that
occurs prior to the monthly cycle then we will release."

But wait. MS can release the DRM patch in three days but you are saying
that
your customers might have to wait up to a month?

You have zero basis in fact for assuming that the DRM patch being released
in 3 days has something to do with Microsoft's priorities. What it tells
me
is that the DRM patch had little to no possibility of breaking things.
You are arguing that Microsoft releasing patches in three days is a good
thing and the best for everyone, but you have not proven this to be the
case.

Why is it a third party
had a patch out in a couple of days and you can't???

If it bothers you enough, there is a registry value that disables VML.
Most people won't find it necessary to enable this workaround.


Sadly, I do not believe "confusion" is the issue here. The real issue is,
yet again, MS customers are taking the hit for an insecure platform. IT
professionals are taking the hit

Yes, all zero of them.

Really, one must question where Microsoft's
priorities are....

You really don't.

I guess this shoots your theory to crap, eh? Oh yea, I bet they are lying
too...

"Hackers gained access to HostGator's servers late Thursday and began
redirecting customer sites to outside web pages that exploit an unpatched
VML security hole in Internet Explorer to infect web surfers with trojans.
The existence of the new "0-day" exploit of cPanel leaves a large number of
hosting companies vulnerable to similar attacks until they install the
patch. The risk is mitigated somewhat by the fact that it is a local
exploit, meaning any attack on a host must be launched from an existing
account with cPanel access."

From: HostGator: cPanel Security Hole Exploited in Mass Hack
http://news.netcraft.com/archives/20...ss_h ack.html

Imhotep

Think we'll only achieve secure computing when C is dropped in favour of a
better language. The list of buffer-overflow exploits in every single major
software-package gets monotonous.

After all, nobody ever got prosecuted for 'Not realising that guy was going
to do something silly.' But people do get prosecuted for driving cars with no
brakes.

"imhotep" wrote in message
...
Roger Abell [MVP] wrote:

"imhotep" wrote in message
...
Roger Abell [MVP] wrote:

"imhotep" wrote in message
...
Replying to the MS blog
http://blogs.technet.com/msrc/archiv...22/458266.aspx


"Attacks remain limited. There?s been some confusion about that, that
somehow attacks are dramatic and widespread."

It has been said that ATTACKS ARE GROWING. This is the concern. Maybe
right
now there are limited sites that host these attacks but, what does
tomorrow
bring?

"Of course, that could change at any moment, and regardless of how
many
people are being attacked..."

This is the point.

"So right now we're looking at where we hit that quality bar and if
that occurs prior to the monthly cycle then we will release."

But wait. MS can release the DRM patch in three days but you are
saying
that
your customers might have to wait up to a month? Why is it a third
party had a patch out in a couple of days and you can't???


Sadly, I do not believe "confusion" is the issue here. The real issue
is,
yet again, MS customers are taking the hit for an insecure platform.
IT
professionals are taking the hit for an insecure platform. However, if
you are the Entertainment Industry, MS will take care of you by
releasing
a DRM
patch in record time (3 days). Really, one must question where
Microsoft's priorities are....

Imhotep


Actually, we are just seeing Imhotep's revelation of predispositions
and inability to comprehend the distinction between QA on a patch
that impacts a top level application capability with fair limited use
as
compared to an also lightly used code but that is deeply embedded
in the platform and has had time for potential side-effect to accrete
around it.

No actually we are seeing Roger Abell's overly verbose excuses. Yet
again. To think that the World's richest software company can't fix a
serious patch in a reasonable amount of time is inexcusable (not doubt
Roger will try though). To think that a third party can release a patch
in 2 days but the World's richest software company can't is inexcusable.
To think that Microsoft can patch a DRM security hole in a record 2-3
days leads one to believe that Microsoft's priorities are somewhere
other
than their users and that is inexcusable. The fact that Roger Abell is
trying to defend the obvious ineptness of Microsoft is well, hilarious.


Talk about verbose !!

Now just why do you think that I choose to post a new thread on
this the day that the exploit became public ??
Because it had potential and because the advisory and other available
info provided means for protecting against the threat.

...and I thanked you. As you did the right thing.

A discussion of a specific threat is NOT the venue to attempt to
discuss other, tangential at best, issues, such as time to delivery
of other fixes, who is in whose bed, etc..

Time to patch is most definitely relevant to all security holes especially
when the code to do exploit the security hole is all over the 'net...

Now as I stated before, it is shamefull that the DRM patch was 3 days but
it
seems that people will have to wait a month (maybe more?) for this
security
hole to be patched. Now come on. Even a Pro Microsoft guy like yourself,
must be a little angry at how the Entertainment Industry gets taken cared
of while users and corporations are getting substandard attention....


If you feel so , then start a thread on that
Do not try to take a thread on a specific threat OT

ra


Frankly, with the simple workarounds available, with the apparently
low exploitation, I am quite happy to not use the third-party patch
and to wait for a regression tested release by the MSRC.

The simpleset work around being what? Use Firefox? Then we agree. Better
yet, the *best* work around is to ditch Microsoft all together and get
an
Apple or Linux PC....

Imhotep

Roger

PS. What is with your habit of always setting followups to the
IE sec newsgroup anyway ??

Bill Sanderson MVP wrote:

And here's what Microsoft has to say:

http://blogs.technet.com/msrc/archiv...22/458266.aspx

"imhotep" wrote in message
...
Microsoft Zero Day security holes being exploited

"Microsoft has issued warnings about a serious flaw in Internet
Explorer that allows attackers to hijack a PC via the popular
browser

Researcher Adam Thomas uncovered the exploit which revolves around
the way that the Internet Explorer browser handles a particular form
of graphics known as vector graphics.

A properly crafted webpage can exploit this problem and install
almost anything they want on the target machine.
Unusable PC

Tests by Sunbelt Software on a Windows machine patched with all the
latest security updates showed attackers installing a huge amount of
spyware and other malicious programs."

http://news.bbc.co.uk/2/hi/technology/5365296.stm

Imhotep

"Roger Abell [MVP]" wrote in message
...

PS. can you not control your newreader and its use of followups?

He's probably using some crappy open source newsreader. ;D

Karl Levinson, mvp wrote:


"imhotep" wrote in message
...

To think that the World's richest software company can't fix a serious
patch in a reasonable amount of time is inexcusable (not doubt Roger will
try though). To think that a third party can release a patch in 2 days
but the World's richest software company can't is inexcusable. To think
that Microsoft can patch a DRM security hole in a record 2-3 days leads
one to believe that Microsoft's priorities are somewhere other than their
users and that is inexcusable. The fact that Roger Abell is trying to
defend the obvious ineptness of Microsoft is well, hilarious.

I'm getting tired of explaining this to you over and over. Microsoft's
~45 days to test and release patches has nothing to do with being cheap,
inept
or dishonest. It's just a fact of the Windows architecture that you have
to accept if you choose to use Windows.

Karl, I am getting tired of explaining my point but I will one more time. So
here it goes: Why did DRM patch NOT GO THROUGH THE SAME 45 DAYS TO TEST????
Total time to patch for the DRM holes was 3 days. Again, it seems Microsoft
priorities here was to "protect" the Entertain Industry. Please address
this point should you decide to reply...

The simpleset work around being what? Use Firefox? Then we agree. Better
yet, the *best* work around is to ditch Microsoft all together and get an
Apple or Linux PC....

Please, go ahead and do that, and then go away. I care nothing about how
many people switch to Mac or Linux, as long as they don't pester the rest
of us by running at the mouth about it.

Again, you are trying craftfully to NOT ANSWER the question. Sorry but, I
will not let you off the hook:

Again:

You claim it takes 45 days to test a patch in Windows. Again, why did
Microsoft break patching records to produce the DRM patch (3 days). This is
the contention point here.

A secondary contention point would be why 45 days (unless you are the
Entertainment Industry!). If Microsoft needs more programmers/Managers/Code
Debuggers hire them. Afterall they have what 60 billion in the bank? Why
can everyone else get a patch out sooner (Apple, Red Hat, Novell, Open
Source) as well as have an overall better track record of patch successes?

Now either answer those questions *or* go away yourself...

Imhotep

Karl Levinson, mvp wrote:


"Roger Abell [MVP]" wrote in message
...

PS. can you not control your newreader and its use of followups?

He's probably using some crappy open source newsreader. ;D

Ya, one the never gets viruses and one where patches work all of the
time....image that safe computing does exist (well for some platforms)!

;-)

Imhotep

Roger Abell [MVP] wrote:


"imhotep" wrote in message
...
Roger Abell [MVP] wrote:

"imhotep" wrote in message
...
Replying to the MS blog
http://blogs.technet.com/msrc/archiv...22/458266.aspx


"Attacks remain limited. There?s been some confusion about that, that
somehow attacks are dramatic and widespread."

It has been said that ATTACKS ARE GROWING. This is the concern. Maybe
right
now there are limited sites that host these attacks but, what does
tomorrow
bring?

"Of course, that could change at any moment, and regardless of how many
people are being attacked..."

This is the point.

"So right now we're looking at where we hit that quality bar and if
that occurs prior to the monthly cycle then we will release."

But wait. MS can release the DRM patch in three days but you are saying
that
your customers might have to wait up to a month? Why is it a third
party had a patch out in a couple of days and you can't???


Sadly, I do not believe "confusion" is the issue here. The real issue
is,
yet again, MS customers are taking the hit for an insecure platform. IT
professionals are taking the hit for an insecure platform. However, if
you are the Entertainment Industry, MS will take care of you by
releasing
a DRM
patch in record time (3 days). Really, one must question where
Microsoft's priorities are....

Imhotep


Actually, we are just seeing Imhotep's revelation of predispositions
and inability to comprehend the distinction between QA on a patch
that impacts a top level application capability with fair limited use as
compared to an also lightly used code but that is deeply embedded
in the platform and has had time for potential side-effect to accrete
around it.

No actually we are seeing Roger Abell's overly verbose excuses. Yet
again. To think that the World's richest software company can't fix a
serious patch in a reasonable amount of time is inexcusable (not doubt
Roger will try though). To think that a third party can release a patch
in 2 days but the World's richest software company can't is inexcusable.
To think that Microsoft can patch a DRM security hole in a record 2-3
days leads one to believe that Microsoft's priorities are somewhere other
than their users and that is inexcusable. The fact that Roger Abell is
trying to defend the obvious ineptness of Microsoft is well, hilarious.


Talk about verbose !!

I am defending nothing.

Now just why do you think that I choose to post a new thread on
this the day that the exploit became public ??


I also posted it. Again, for the record you did the right thing, for this I
thank you.


Because it had potential and because the advisory and other available
info provided means for protecting against the threat.


Again, you did the right thing. An informed user can make logical
decisions...and because Microsoft takes so long to produce patches the
brunt of the load unfortunately lies on the users to do something while
Micrsoft produces a patch...


A discussion of a specific threat is NOT the venue to attempt to
discuss other, tangential at best, issues, such as time to delivery
of other fixes, who is in whose bed, etc..


Not at all. The point being made is the time to patch. Again, why can the
Entertainment Industry get a patch in a record setting 3 days but this
patch, for a highly critical security hole, will probably take a month and
a half????

Again, my point is that clearly, Microsoft views protecting copy righted
entertainment as being more important. THIS IS WRONG!!! Securing their
swiss cheese platform for their users should be their highest priority!!!


PS. can you not control your newreader and its use of followups?


The news server I go through will trash your post if your post goes to more
than 4 to 5 newsgroups. So, if you are posting to more than that you have
to break it up in to multiple duplicated posts going to groups of
newsgroups...it does suck but their is no work around. This is a policy of
the news server administrator.


Imhotep

Frankly, with the simple workarounds available, with the apparently
low exploitation, I am quite happy to not use the third-party patch
and to wait for a regression tested release by the MSRC.

The simpleset work around being what? Use Firefox? Then we agree. Better
yet, the *best* work around is to ditch Microsoft all together and get an
Apple or Linux PC....

Imhotep

Roger

PS. What is with your habit of always setting followups to the
IE sec newsgroup anyway ??

Bill Sanderson MVP wrote:

And here's what Microsoft has to say:

http://blogs.technet.com/msrc/archiv...22/458266.aspx

"imhotep" wrote in message
...
Microsoft Zero Day security holes being exploited

"Microsoft has issued warnings about a serious flaw in Internet
Explorer that allows attackers to hijack a PC via the popular browser

Researcher Adam Thomas uncovered the exploit which revolves around
the way that the Internet Explorer browser handles a particular form
of graphics known as vector graphics.

A properly crafted webpage can exploit this problem and install
almost anything they want on the target machine.
Unusable PC

Tests by Sunbelt Software on a Windows machine patched with all the
latest security updates showed attackers installing a huge amount of
spyware and other malicious programs."

http://news.bbc.co.uk/2/hi/technology/5365296.stm

Imhotep

Roger Abell [MVP] wrote:


"imhotep" wrote in message
...
Roger Abell [MVP] wrote:

"imhotep" wrote in message
...
Roger Abell [MVP] wrote:

"imhotep" wrote in message
...
Replying to the MS blog
http://blogs.technet.com/msrc/archiv...22/458266.aspx


"Attacks remain limited. There?s been some confusion about that,
that somehow attacks are dramatic and widespread."

It has been said that ATTACKS ARE GROWING. This is the concern. Maybe
right
now there are limited sites that host these attacks but, what does
tomorrow
bring?

"Of course, that could change at any moment, and regardless of how
many
people are being attacked..."

This is the point.

"So right now we're looking at where we hit that quality bar and if
that occurs prior to the monthly cycle then we will release."

But wait. MS can release the DRM patch in three days but you are
saying
that
your customers might have to wait up to a month? Why is it a third
party had a patch out in a couple of days and you can't???


Sadly, I do not believe "confusion" is the issue here. The real issue
is,
yet again, MS customers are taking the hit for an insecure platform.
IT
professionals are taking the hit for an insecure platform. However,
if you are the Entertainment Industry, MS will take care of you by
releasing
a DRM
patch in record time (3 days). Really, one must question where
Microsoft's priorities are....

Imhotep


Actually, we are just seeing Imhotep's revelation of predispositions
and inability to comprehend the distinction between QA on a patch
that impacts a top level application capability with fair limited use
as
compared to an also lightly used code but that is deeply embedded
in the platform and has had time for potential side-effect to accrete
around it.

No actually we are seeing Roger Abell's overly verbose excuses. Yet
again. To think that the World's richest software company can't fix a
serious patch in a reasonable amount of time is inexcusable (not doubt
Roger will try though). To think that a third party can release a patch
in 2 days but the World's richest software company can't is
inexcusable. To think that Microsoft can patch a DRM security hole in a
record 2-3 days leads one to believe that Microsoft's priorities are
somewhere other
than their users and that is inexcusable. The fact that Roger Abell is
trying to defend the obvious ineptness of Microsoft is well, hilarious.


Talk about verbose !!

Now just why do you think that I choose to post a new thread on
this the day that the exploit became public ??
Because it had potential and because the advisory and other available
info provided means for protecting against the threat.

...and I thanked you. As you did the right thing.

A discussion of a specific threat is NOT the venue to attempt to
discuss other, tangential at best, issues, such as time to delivery
of other fixes, who is in whose bed, etc..

Time to patch is most definitely relevant to all security holes
especially when the code to do exploit the security hole is all over the
'net...

Now as I stated before, it is shamefull that the DRM patch was 3 days but
it
seems that people will have to wait a month (maybe more?) for this
security
hole to be patched. Now come on. Even a Pro Microsoft guy like yourself,
must be a little angry at how the Entertainment Industry gets taken cared
of while users and corporations are getting substandard attention....


If you feel so , then start a thread on that
Do not try to take a thread on a specific threat OT


Not a bad idea...

Imhotep


ra


Frankly, with the simple workarounds available, with the apparently
low exploitation, I am quite happy to not use the third-party patch
and to wait for a regression tested release by the MSRC.

The simpleset work around being what? Use Firefox? Then we agree.
Better yet, the *best* work around is to ditch Microsoft all together
and get an
Apple or Linux PC....

Imhotep

Roger

PS. What is with your habit of always setting followups to the
IE sec newsgroup anyway ??

Bill Sanderson MVP wrote:

And here's what Microsoft has to say:

http://blogs.technet.com/msrc/archiv...22/458266.aspx

"imhotep" wrote in message
...
Microsoft Zero Day security holes being exploited

"Microsoft has issued warnings about a serious flaw in Internet
Explorer that allows attackers to hijack a PC via the popular
browser

Researcher Adam Thomas uncovered the exploit which revolves around
the way that the Internet Explorer browser handles a particular
form of graphics known as vector graphics.

A properly crafted webpage can exploit this problem and install
almost anything they want on the target machine.
Unusable PC

Tests by Sunbelt Software on a Windows machine patched with all the
latest security updates showed attackers installing a huge amount
of spyware and other malicious programs."

http://news.bbc.co.uk/2/hi/technology/5365296.stm

Imhotep

Karl Levinson, mvp wrote:


"imhotep" wrote in message
...

"Hackers gained access to HostGator's servers late Thursday and began
redirecting customer sites to outside web pages that exploit an unpatched
VML security hole in Internet Explorer to infect web surfers with
trojans.

I guess this shoots your theory to crap, eh?

Not really. Trend Micro's numbers for the VML exploit are still at zero.
The same "mass hackings" of web sites also happened with Download.ject and
Qhosts, and yet those infected very few hosts. You just aren't getting
the message that browser vulns are widely overrated as a means for
infecting or
compromising systems. Even if there is no patch for a particular browser
vuln, people running antivirus are largely protected anyways.


http://www.trendmicro.com/vinfo/viru...S&Perio d=All

Oh yea, I bet they are lying too...

No, that article just doesn't say what you think it says. It doesn't say
that large numbers of people are being infected by this.

The fact of the matter is this. Nobody knows for sure how many people have
been infected by this. Nobody knows for sure how many will be infected by
this tomorrow...and the day after that and so on. How does anyone know? How
does Trend Micros know? What do they do scan .01% of the web sites out
there and make a judgment? This is foolishness.

Clearly secure holes need to be addressed and evaluated by their severity.
Clearly this security hole is quite severe. Clearly there needs to be a
patch in record time (like the DRM patch)...

Imhotep

Ian wrote:


Think we'll only achieve secure computing when C is dropped in favour of a
better language. The list of buffer-overflow exploits in every single
major software-package gets monotonous.


As a C programmer (one of many languages I know) that is one of the most
foolish statements I have heard all year. Buffer-overflows are not caused
by the programming language. They are caused by bad programmers!!!!!!!!!!!!

The problem here is that some people want a language to cover up their lack
of programming skills!!!!!!! Utter foolishness!!!



After all, nobody ever got prosecuted for 'Not realising that guy was
going to do something silly.' But people do get prosecuted for driving
cars with no brakes.


If you do not possess the skills to drive a car, why are you attempting to
drive it??? Driving a car requires a skill set, if you do not possess it,
don't drive...in either case don't blame the car for your ineptness.


Imhotep