If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Microsoft Zero Day security holes being exploited
Microsoft Zero Day security holes being exploited
"Microsoft has issued warnings about a serious flaw in Internet Explorer that allows attackers to hijack a PC via the popular browser Researcher Adam Thomas uncovered the exploit which revolves around the way that the Internet Explorer browser handles a particular form of graphics known as vector graphics. A properly crafted webpage can exploit this problem and install almost anything they want on the target machine. Unusable PC Tests by Sunbelt Software on a Windows machine patched with all the latest security updates showed attackers installing a huge amount of spyware and other malicious programs." http://news.bbc.co.uk/2/hi/technology/5365296.stm Imhotep |
Ads |
#2
|
|||
|
|||
Microsoft Zero Day security holes being exploited
Replying to the MS blog
http://blogs.technet.com/msrc/archiv...22/458266.aspx "Attacks remain limited. There?s been some confusion about that, that somehow attacks are dramatic and widespread." It has been said that ATTACKS ARE GROWING. This is the concern. Maybe right now there are limited sites that host these attacks but, what does tomorrow bring? "Of course, that could change at any moment, and regardless of how many people are being attacked..." This is the point. "So right now we're looking at where we hit that quality bar and if that occurs prior to the monthly cycle then we will release." But wait. MS can release the DRM patch in three days but you are saying that your customers might have to wait up to a month? Why is it a third party had a patch out in a couple of days and you can't??? Sadly, I do not believe "confusion" is the issue here. The real issue is, yet again, MS customers are taking the hit for an insecure platform. IT professionals are taking the hit for an insecure platform. However, if you are the Entertainment Industry, MS will take care of you by releasing a DRM patch in record time (3 days). Really, one must question where Microsoft's priorities are.... Imhotep Bill Sanderson MVP wrote: And here's what Microsoft has to say: http://blogs.technet.com/msrc/archiv...22/458266.aspx "imhotep" wrote in message ... Microsoft Zero Day security holes being exploited "Microsoft has issued warnings about a serious flaw in Internet Explorer that allows attackers to hijack a PC via the popular browser Researcher Adam Thomas uncovered the exploit which revolves around the way that the Internet Explorer browser handles a particular form of graphics known as vector graphics. A properly crafted webpage can exploit this problem and install almost anything they want on the target machine. Unusable PC Tests by Sunbelt Software on a Windows machine patched with all the latest security updates showed attackers installing a huge amount of spyware and other malicious programs." http://news.bbc.co.uk/2/hi/technology/5365296.stm Imhotep |
#3
|
|||
|
|||
Microsoft Zero Day security holes being exploited
Roger Abell [MVP] wrote:
"imhotep" wrote in message ... Replying to the MS blog http://blogs.technet.com/msrc/archiv...22/458266.aspx "Attacks remain limited. There?s been some confusion about that, that somehow attacks are dramatic and widespread." It has been said that ATTACKS ARE GROWING. This is the concern. Maybe right now there are limited sites that host these attacks but, what does tomorrow bring? "Of course, that could change at any moment, and regardless of how many people are being attacked..." This is the point. "So right now we're looking at where we hit that quality bar and if that occurs prior to the monthly cycle then we will release." But wait. MS can release the DRM patch in three days but you are saying that your customers might have to wait up to a month? Why is it a third party had a patch out in a couple of days and you can't??? Sadly, I do not believe "confusion" is the issue here. The real issue is, yet again, MS customers are taking the hit for an insecure platform. IT professionals are taking the hit for an insecure platform. However, if you are the Entertainment Industry, MS will take care of you by releasing a DRM patch in record time (3 days). Really, one must question where Microsoft's priorities are.... Imhotep Actually, we are just seeing Imhotep's revelation of predispositions and inability to comprehend the distinction between QA on a patch that impacts a top level application capability with fair limited use as compared to an also lightly used code but that is deeply embedded in the platform and has had time for potential side-effect to accrete around it. No actually we are seeing Roger Abell's overly verbose excuses. Yet again. To think that the World's richest software company can't fix a serious patch in a reasonable amount of time is inexcusable (not doubt Roger will try though). To think that a third party can release a patch in 2 days but the World's richest software company can't is inexcusable. To think that Microsoft can patch a DRM security hole in a record 2-3 days leads one to believe that Microsoft's priorities are somewhere other than their users and that is inexcusable. The fact that Roger Abell is trying to defend the obvious ineptness of Microsoft is well, hilarious. Frankly, with the simple workarounds available, with the apparently low exploitation, I am quite happy to not use the third-party patch and to wait for a regression tested release by the MSRC. The simpleset work around being what? Use Firefox? Then we agree. Better yet, the *best* work around is to ditch Microsoft all together and get an Apple or Linux PC.... Imhotep Roger PS. What is with your habit of always setting followups to the IE sec newsgroup anyway ?? Bill Sanderson MVP wrote: And here's what Microsoft has to say: http://blogs.technet.com/msrc/archiv...22/458266.aspx "imhotep" wrote in message ... Microsoft Zero Day security holes being exploited "Microsoft has issued warnings about a serious flaw in Internet Explorer that allows attackers to hijack a PC via the popular browser Researcher Adam Thomas uncovered the exploit which revolves around the way that the Internet Explorer browser handles a particular form of graphics known as vector graphics. A properly crafted webpage can exploit this problem and install almost anything they want on the target machine. Unusable PC Tests by Sunbelt Software on a Windows machine patched with all the latest security updates showed attackers installing a huge amount of spyware and other malicious programs." http://news.bbc.co.uk/2/hi/technology/5365296.stm Imhotep |
#4
|
|||
|
|||
Microsoft Zero Day security holes being exploited
"imhotep" wrote in message ... Roger Abell [MVP] wrote: "imhotep" wrote in message ... Replying to the MS blog http://blogs.technet.com/msrc/archiv...22/458266.aspx "Attacks remain limited. There?s been some confusion about that, that somehow attacks are dramatic and widespread." It has been said that ATTACKS ARE GROWING. This is the concern. Maybe right now there are limited sites that host these attacks but, what does tomorrow bring? "Of course, that could change at any moment, and regardless of how many people are being attacked..." This is the point. "So right now we're looking at where we hit that quality bar and if that occurs prior to the monthly cycle then we will release." But wait. MS can release the DRM patch in three days but you are saying that your customers might have to wait up to a month? Why is it a third party had a patch out in a couple of days and you can't??? Sadly, I do not believe "confusion" is the issue here. The real issue is, yet again, MS customers are taking the hit for an insecure platform. IT professionals are taking the hit for an insecure platform. However, if you are the Entertainment Industry, MS will take care of you by releasing a DRM patch in record time (3 days). Really, one must question where Microsoft's priorities are.... Imhotep Actually, we are just seeing Imhotep's revelation of predispositions and inability to comprehend the distinction between QA on a patch that impacts a top level application capability with fair limited use as compared to an also lightly used code but that is deeply embedded in the platform and has had time for potential side-effect to accrete around it. No actually we are seeing Roger Abell's overly verbose excuses. Yet again. To think that the World's richest software company can't fix a serious patch in a reasonable amount of time is inexcusable (not doubt Roger will try though). To think that a third party can release a patch in 2 days but the World's richest software company can't is inexcusable. To think that Microsoft can patch a DRM security hole in a record 2-3 days leads one to believe that Microsoft's priorities are somewhere other than their users and that is inexcusable. The fact that Roger Abell is trying to defend the obvious ineptness of Microsoft is well, hilarious. Talk about verbose !! I am defending nothing. Now just why do you think that I choose to post a new thread on this the day that the exploit became public ?? Because it had potential and because the advisory and other available info provided means for protecting against the threat. A discussion of a specific threat is NOT the venue to attempt to discuss other, tangential at best, issues, such as time to delivery of other fixes, who is in whose bed, etc.. PS. can you not control your newreader and its use of followups? Frankly, with the simple workarounds available, with the apparently low exploitation, I am quite happy to not use the third-party patch and to wait for a regression tested release by the MSRC. The simpleset work around being what? Use Firefox? Then we agree. Better yet, the *best* work around is to ditch Microsoft all together and get an Apple or Linux PC.... Imhotep Roger PS. What is with your habit of always setting followups to the IE sec newsgroup anyway ?? Bill Sanderson MVP wrote: And here's what Microsoft has to say: http://blogs.technet.com/msrc/archiv...22/458266.aspx "imhotep" wrote in message ... Microsoft Zero Day security holes being exploited "Microsoft has issued warnings about a serious flaw in Internet Explorer that allows attackers to hijack a PC via the popular browser Researcher Adam Thomas uncovered the exploit which revolves around the way that the Internet Explorer browser handles a particular form of graphics known as vector graphics. A properly crafted webpage can exploit this problem and install almost anything they want on the target machine. Unusable PC Tests by Sunbelt Software on a Windows machine patched with all the latest security updates showed attackers installing a huge amount of spyware and other malicious programs." http://news.bbc.co.uk/2/hi/technology/5365296.stm Imhotep |
#5
|
|||
|
|||
Microsoft Zero Day security holes being exploited
Roger Abell [MVP] wrote:
"imhotep" wrote in message ... Roger Abell [MVP] wrote: "imhotep" wrote in message ... Replying to the MS blog http://blogs.technet.com/msrc/archiv...22/458266.aspx "Attacks remain limited. There?s been some confusion about that, that somehow attacks are dramatic and widespread." It has been said that ATTACKS ARE GROWING. This is the concern. Maybe right now there are limited sites that host these attacks but, what does tomorrow bring? "Of course, that could change at any moment, and regardless of how many people are being attacked..." This is the point. "So right now we're looking at where we hit that quality bar and if that occurs prior to the monthly cycle then we will release." But wait. MS can release the DRM patch in three days but you are saying that your customers might have to wait up to a month? Why is it a third party had a patch out in a couple of days and you can't??? Sadly, I do not believe "confusion" is the issue here. The real issue is, yet again, MS customers are taking the hit for an insecure platform. IT professionals are taking the hit for an insecure platform. However, if you are the Entertainment Industry, MS will take care of you by releasing a DRM patch in record time (3 days). Really, one must question where Microsoft's priorities are.... Imhotep Actually, we are just seeing Imhotep's revelation of predispositions and inability to comprehend the distinction between QA on a patch that impacts a top level application capability with fair limited use as compared to an also lightly used code but that is deeply embedded in the platform and has had time for potential side-effect to accrete around it. No actually we are seeing Roger Abell's overly verbose excuses. Yet again. To think that the World's richest software company can't fix a serious patch in a reasonable amount of time is inexcusable (not doubt Roger will try though). To think that a third party can release a patch in 2 days but the World's richest software company can't is inexcusable. To think that Microsoft can patch a DRM security hole in a record 2-3 days leads one to believe that Microsoft's priorities are somewhere other than their users and that is inexcusable. The fact that Roger Abell is trying to defend the obvious ineptness of Microsoft is well, hilarious. Talk about verbose !! Now just why do you think that I choose to post a new thread on this the day that the exploit became public ?? Because it had potential and because the advisory and other available info provided means for protecting against the threat. ....and I thanked you. As you did the right thing. A discussion of a specific threat is NOT the venue to attempt to discuss other, tangential at best, issues, such as time to delivery of other fixes, who is in whose bed, etc.. Time to patch is most definitely relevant to all security holes especially when the code to do exploit the security hole is all over the 'net... Now as I stated before, it is shamefull that the DRM patch was 3 days but it seems that people will have to wait a month (maybe more?) for this security hole to be patched. Now come on. Even a Pro Microsoft guy like yourself, must be a little angry at how the Entertainment Industry gets taken cared of while users and corporations are getting substandard attention.... Imhotep Frankly, with the simple workarounds available, with the apparently low exploitation, I am quite happy to not use the third-party patch and to wait for a regression tested release by the MSRC. The simpleset work around being what? Use Firefox? Then we agree. Better yet, the *best* work around is to ditch Microsoft all together and get an Apple or Linux PC.... Imhotep Roger PS. What is with your habit of always setting followups to the IE sec newsgroup anyway ?? Bill Sanderson MVP wrote: And here's what Microsoft has to say: http://blogs.technet.com/msrc/archiv...22/458266.aspx "imhotep" wrote in message ... Microsoft Zero Day security holes being exploited "Microsoft has issued warnings about a serious flaw in Internet Explorer that allows attackers to hijack a PC via the popular browser Researcher Adam Thomas uncovered the exploit which revolves around the way that the Internet Explorer browser handles a particular form of graphics known as vector graphics. A properly crafted webpage can exploit this problem and install almost anything they want on the target machine. Unusable PC Tests by Sunbelt Software on a Windows machine patched with all the latest security updates showed attackers installing a huge amount of spyware and other malicious programs." http://news.bbc.co.uk/2/hi/technology/5365296.stm Imhotep |
#6
|
|||
|
|||
Microsoft Zero Day security holes being exploited
Karl Levinson, mvp wrote:
"imhotep" wrote in message ... It has been said that ATTACKS ARE GROWING. This is the concern. Maybe right now there are limited sites that host these attacks but, what does tomorrow bring? Is there any reason why you trust these reports more than Microsoft's reports? Time and time again, Microsoft's assessments have proven more accurate than the chicken littles in the security industry who profit from pointless fear. "Of course, that could change at any moment, and regardless of how many people are being attacked..." This is the point. Browser vulns are highly overrated and overreported. You make the problem worse by hyping and trumping it up here. Trend Micro's numbers for people infected worldwide by VML exploits: zero. http://www.trendmicro.com/vinfo/viru...S&Perio d=All This is entirely consistent with what we know about the number of people infected by Download.ject and Qhosts, two other similar browser vulns. "So right now we're looking at where we hit that quality bar and if that occurs prior to the monthly cycle then we will release." But wait. MS can release the DRM patch in three days but you are saying that your customers might have to wait up to a month? You have zero basis in fact for assuming that the DRM patch being released in 3 days has something to do with Microsoft's priorities. What it tells me is that the DRM patch had little to no possibility of breaking things. You are arguing that Microsoft releasing patches in three days is a good thing and the best for everyone, but you have not proven this to be the case. Why is it a third party had a patch out in a couple of days and you can't??? If it bothers you enough, there is a registry value that disables VML. Most people won't find it necessary to enable this workaround. Sadly, I do not believe "confusion" is the issue here. The real issue is, yet again, MS customers are taking the hit for an insecure platform. IT professionals are taking the hit Yes, all zero of them. Really, one must question where Microsoft's priorities are.... You really don't. I guess this shoots your theory to crap, eh? Oh yea, I bet they are lying too... "Hackers gained access to HostGator's servers late Thursday and began redirecting customer sites to outside web pages that exploit an unpatched VML security hole in Internet Explorer to infect web surfers with trojans. The existence of the new "0-day" exploit of cPanel leaves a large number of hosting companies vulnerable to similar attacks until they install the patch. The risk is mitigated somewhat by the fact that it is a local exploit, meaning any attack on a host must be launched from an existing account with cPanel access." From: HostGator: cPanel Security Hole Exploited in Mass Hack http://news.netcraft.com/archives/20...ss_h ack.html Imhotep |
#7
|
|||
|
|||
Microsoft Zero Day security holes being exploited
Think we'll only achieve secure computing when C is dropped in favour of a better language. The list of buffer-overflow exploits in every single major software-package gets monotonous. After all, nobody ever got prosecuted for 'Not realising that guy was going to do something silly.' But people do get prosecuted for driving cars with no brakes. |
#8
|
|||
|
|||
Microsoft Zero Day security holes being exploited
"imhotep" wrote in message ... Roger Abell [MVP] wrote: "imhotep" wrote in message ... Roger Abell [MVP] wrote: "imhotep" wrote in message ... Replying to the MS blog http://blogs.technet.com/msrc/archiv...22/458266.aspx "Attacks remain limited. There?s been some confusion about that, that somehow attacks are dramatic and widespread." It has been said that ATTACKS ARE GROWING. This is the concern. Maybe right now there are limited sites that host these attacks but, what does tomorrow bring? "Of course, that could change at any moment, and regardless of how many people are being attacked..." This is the point. "So right now we're looking at where we hit that quality bar and if that occurs prior to the monthly cycle then we will release." But wait. MS can release the DRM patch in three days but you are saying that your customers might have to wait up to a month? Why is it a third party had a patch out in a couple of days and you can't??? Sadly, I do not believe "confusion" is the issue here. The real issue is, yet again, MS customers are taking the hit for an insecure platform. IT professionals are taking the hit for an insecure platform. However, if you are the Entertainment Industry, MS will take care of you by releasing a DRM patch in record time (3 days). Really, one must question where Microsoft's priorities are.... Imhotep Actually, we are just seeing Imhotep's revelation of predispositions and inability to comprehend the distinction between QA on a patch that impacts a top level application capability with fair limited use as compared to an also lightly used code but that is deeply embedded in the platform and has had time for potential side-effect to accrete around it. No actually we are seeing Roger Abell's overly verbose excuses. Yet again. To think that the World's richest software company can't fix a serious patch in a reasonable amount of time is inexcusable (not doubt Roger will try though). To think that a third party can release a patch in 2 days but the World's richest software company can't is inexcusable. To think that Microsoft can patch a DRM security hole in a record 2-3 days leads one to believe that Microsoft's priorities are somewhere other than their users and that is inexcusable. The fact that Roger Abell is trying to defend the obvious ineptness of Microsoft is well, hilarious. Talk about verbose !! Now just why do you think that I choose to post a new thread on this the day that the exploit became public ?? Because it had potential and because the advisory and other available info provided means for protecting against the threat. ...and I thanked you. As you did the right thing. A discussion of a specific threat is NOT the venue to attempt to discuss other, tangential at best, issues, such as time to delivery of other fixes, who is in whose bed, etc.. Time to patch is most definitely relevant to all security holes especially when the code to do exploit the security hole is all over the 'net... Now as I stated before, it is shamefull that the DRM patch was 3 days but it seems that people will have to wait a month (maybe more?) for this security hole to be patched. Now come on. Even a Pro Microsoft guy like yourself, must be a little angry at how the Entertainment Industry gets taken cared of while users and corporations are getting substandard attention.... If you feel so , then start a thread on that Do not try to take a thread on a specific threat OT ra Frankly, with the simple workarounds available, with the apparently low exploitation, I am quite happy to not use the third-party patch and to wait for a regression tested release by the MSRC. The simpleset work around being what? Use Firefox? Then we agree. Better yet, the *best* work around is to ditch Microsoft all together and get an Apple or Linux PC.... Imhotep Roger PS. What is with your habit of always setting followups to the IE sec newsgroup anyway ?? Bill Sanderson MVP wrote: And here's what Microsoft has to say: http://blogs.technet.com/msrc/archiv...22/458266.aspx "imhotep" wrote in message ... Microsoft Zero Day security holes being exploited "Microsoft has issued warnings about a serious flaw in Internet Explorer that allows attackers to hijack a PC via the popular browser Researcher Adam Thomas uncovered the exploit which revolves around the way that the Internet Explorer browser handles a particular form of graphics known as vector graphics. A properly crafted webpage can exploit this problem and install almost anything they want on the target machine. Unusable PC Tests by Sunbelt Software on a Windows machine patched with all the latest security updates showed attackers installing a huge amount of spyware and other malicious programs." http://news.bbc.co.uk/2/hi/technology/5365296.stm Imhotep |
#9
|
|||
|
|||
Microsoft Zero Day security holes being exploited
"Roger Abell [MVP]" wrote in message ... PS. can you not control your newreader and its use of followups? He's probably using some crappy open source newsreader. ;D |
#10
|
|||
|
|||
Microsoft Zero Day security holes being exploited
Karl Levinson, mvp wrote:
"imhotep" wrote in message ... To think that the World's richest software company can't fix a serious patch in a reasonable amount of time is inexcusable (not doubt Roger will try though). To think that a third party can release a patch in 2 days but the World's richest software company can't is inexcusable. To think that Microsoft can patch a DRM security hole in a record 2-3 days leads one to believe that Microsoft's priorities are somewhere other than their users and that is inexcusable. The fact that Roger Abell is trying to defend the obvious ineptness of Microsoft is well, hilarious. I'm getting tired of explaining this to you over and over. Microsoft's ~45 days to test and release patches has nothing to do with being cheap, inept or dishonest. It's just a fact of the Windows architecture that you have to accept if you choose to use Windows. Karl, I am getting tired of explaining my point but I will one more time. So here it goes: Why did DRM patch NOT GO THROUGH THE SAME 45 DAYS TO TEST???? Total time to patch for the DRM holes was 3 days. Again, it seems Microsoft priorities here was to "protect" the Entertain Industry. Please address this point should you decide to reply... The simpleset work around being what? Use Firefox? Then we agree. Better yet, the *best* work around is to ditch Microsoft all together and get an Apple or Linux PC.... Please, go ahead and do that, and then go away. I care nothing about how many people switch to Mac or Linux, as long as they don't pester the rest of us by running at the mouth about it. Again, you are trying craftfully to NOT ANSWER the question. Sorry but, I will not let you off the hook: Again: You claim it takes 45 days to test a patch in Windows. Again, why did Microsoft break patching records to produce the DRM patch (3 days). This is the contention point here. A secondary contention point would be why 45 days (unless you are the Entertainment Industry!). If Microsoft needs more programmers/Managers/Code Debuggers hire them. Afterall they have what 60 billion in the bank? Why can everyone else get a patch out sooner (Apple, Red Hat, Novell, Open Source) as well as have an overall better track record of patch successes? Now either answer those questions *or* go away yourself... Imhotep |
#11
|
|||
|
|||
Microsoft Zero Day security holes being exploited
Karl Levinson, mvp wrote:
"Roger Abell [MVP]" wrote in message ... PS. can you not control your newreader and its use of followups? He's probably using some crappy open source newsreader. ;D Ya, one the never gets viruses and one where patches work all of the time....image that safe computing does exist (well for some platforms)! ;-) Imhotep |
#12
|
|||
|
|||
Microsoft Zero Day security holes being exploited
Roger Abell [MVP] wrote:
"imhotep" wrote in message ... Roger Abell [MVP] wrote: "imhotep" wrote in message ... Replying to the MS blog http://blogs.technet.com/msrc/archiv...22/458266.aspx "Attacks remain limited. There?s been some confusion about that, that somehow attacks are dramatic and widespread." It has been said that ATTACKS ARE GROWING. This is the concern. Maybe right now there are limited sites that host these attacks but, what does tomorrow bring? "Of course, that could change at any moment, and regardless of how many people are being attacked..." This is the point. "So right now we're looking at where we hit that quality bar and if that occurs prior to the monthly cycle then we will release." But wait. MS can release the DRM patch in three days but you are saying that your customers might have to wait up to a month? Why is it a third party had a patch out in a couple of days and you can't??? Sadly, I do not believe "confusion" is the issue here. The real issue is, yet again, MS customers are taking the hit for an insecure platform. IT professionals are taking the hit for an insecure platform. However, if you are the Entertainment Industry, MS will take care of you by releasing a DRM patch in record time (3 days). Really, one must question where Microsoft's priorities are.... Imhotep Actually, we are just seeing Imhotep's revelation of predispositions and inability to comprehend the distinction between QA on a patch that impacts a top level application capability with fair limited use as compared to an also lightly used code but that is deeply embedded in the platform and has had time for potential side-effect to accrete around it. No actually we are seeing Roger Abell's overly verbose excuses. Yet again. To think that the World's richest software company can't fix a serious patch in a reasonable amount of time is inexcusable (not doubt Roger will try though). To think that a third party can release a patch in 2 days but the World's richest software company can't is inexcusable. To think that Microsoft can patch a DRM security hole in a record 2-3 days leads one to believe that Microsoft's priorities are somewhere other than their users and that is inexcusable. The fact that Roger Abell is trying to defend the obvious ineptness of Microsoft is well, hilarious. Talk about verbose !! I am defending nothing. Now just why do you think that I choose to post a new thread on this the day that the exploit became public ?? I also posted it. Again, for the record you did the right thing, for this I thank you. Because it had potential and because the advisory and other available info provided means for protecting against the threat. Again, you did the right thing. An informed user can make logical decisions...and because Microsoft takes so long to produce patches the brunt of the load unfortunately lies on the users to do something while Micrsoft produces a patch... A discussion of a specific threat is NOT the venue to attempt to discuss other, tangential at best, issues, such as time to delivery of other fixes, who is in whose bed, etc.. Not at all. The point being made is the time to patch. Again, why can the Entertainment Industry get a patch in a record setting 3 days but this patch, for a highly critical security hole, will probably take a month and a half???? Again, my point is that clearly, Microsoft views protecting copy righted entertainment as being more important. THIS IS WRONG!!! Securing their swiss cheese platform for their users should be their highest priority!!! PS. can you not control your newreader and its use of followups? The news server I go through will trash your post if your post goes to more than 4 to 5 newsgroups. So, if you are posting to more than that you have to break it up in to multiple duplicated posts going to groups of newsgroups...it does suck but their is no work around. This is a policy of the news server administrator. Imhotep Frankly, with the simple workarounds available, with the apparently low exploitation, I am quite happy to not use the third-party patch and to wait for a regression tested release by the MSRC. The simpleset work around being what? Use Firefox? Then we agree. Better yet, the *best* work around is to ditch Microsoft all together and get an Apple or Linux PC.... Imhotep Roger PS. What is with your habit of always setting followups to the IE sec newsgroup anyway ?? Bill Sanderson MVP wrote: And here's what Microsoft has to say: http://blogs.technet.com/msrc/archiv...22/458266.aspx "imhotep" wrote in message ... Microsoft Zero Day security holes being exploited "Microsoft has issued warnings about a serious flaw in Internet Explorer that allows attackers to hijack a PC via the popular browser Researcher Adam Thomas uncovered the exploit which revolves around the way that the Internet Explorer browser handles a particular form of graphics known as vector graphics. A properly crafted webpage can exploit this problem and install almost anything they want on the target machine. Unusable PC Tests by Sunbelt Software on a Windows machine patched with all the latest security updates showed attackers installing a huge amount of spyware and other malicious programs." http://news.bbc.co.uk/2/hi/technology/5365296.stm Imhotep |
#13
|
|||
|
|||
Microsoft Zero Day security holes being exploited
Roger Abell [MVP] wrote:
"imhotep" wrote in message ... Roger Abell [MVP] wrote: "imhotep" wrote in message ... Roger Abell [MVP] wrote: "imhotep" wrote in message ... Replying to the MS blog http://blogs.technet.com/msrc/archiv...22/458266.aspx "Attacks remain limited. There?s been some confusion about that, that somehow attacks are dramatic and widespread." It has been said that ATTACKS ARE GROWING. This is the concern. Maybe right now there are limited sites that host these attacks but, what does tomorrow bring? "Of course, that could change at any moment, and regardless of how many people are being attacked..." This is the point. "So right now we're looking at where we hit that quality bar and if that occurs prior to the monthly cycle then we will release." But wait. MS can release the DRM patch in three days but you are saying that your customers might have to wait up to a month? Why is it a third party had a patch out in a couple of days and you can't??? Sadly, I do not believe "confusion" is the issue here. The real issue is, yet again, MS customers are taking the hit for an insecure platform. IT professionals are taking the hit for an insecure platform. However, if you are the Entertainment Industry, MS will take care of you by releasing a DRM patch in record time (3 days). Really, one must question where Microsoft's priorities are.... Imhotep Actually, we are just seeing Imhotep's revelation of predispositions and inability to comprehend the distinction between QA on a patch that impacts a top level application capability with fair limited use as compared to an also lightly used code but that is deeply embedded in the platform and has had time for potential side-effect to accrete around it. No actually we are seeing Roger Abell's overly verbose excuses. Yet again. To think that the World's richest software company can't fix a serious patch in a reasonable amount of time is inexcusable (not doubt Roger will try though). To think that a third party can release a patch in 2 days but the World's richest software company can't is inexcusable. To think that Microsoft can patch a DRM security hole in a record 2-3 days leads one to believe that Microsoft's priorities are somewhere other than their users and that is inexcusable. The fact that Roger Abell is trying to defend the obvious ineptness of Microsoft is well, hilarious. Talk about verbose !! Now just why do you think that I choose to post a new thread on this the day that the exploit became public ?? Because it had potential and because the advisory and other available info provided means for protecting against the threat. ...and I thanked you. As you did the right thing. A discussion of a specific threat is NOT the venue to attempt to discuss other, tangential at best, issues, such as time to delivery of other fixes, who is in whose bed, etc.. Time to patch is most definitely relevant to all security holes especially when the code to do exploit the security hole is all over the 'net... Now as I stated before, it is shamefull that the DRM patch was 3 days but it seems that people will have to wait a month (maybe more?) for this security hole to be patched. Now come on. Even a Pro Microsoft guy like yourself, must be a little angry at how the Entertainment Industry gets taken cared of while users and corporations are getting substandard attention.... If you feel so , then start a thread on that Do not try to take a thread on a specific threat OT Not a bad idea... Imhotep ra Frankly, with the simple workarounds available, with the apparently low exploitation, I am quite happy to not use the third-party patch and to wait for a regression tested release by the MSRC. The simpleset work around being what? Use Firefox? Then we agree. Better yet, the *best* work around is to ditch Microsoft all together and get an Apple or Linux PC.... Imhotep Roger PS. What is with your habit of always setting followups to the IE sec newsgroup anyway ?? Bill Sanderson MVP wrote: And here's what Microsoft has to say: http://blogs.technet.com/msrc/archiv...22/458266.aspx "imhotep" wrote in message ... Microsoft Zero Day security holes being exploited "Microsoft has issued warnings about a serious flaw in Internet Explorer that allows attackers to hijack a PC via the popular browser Researcher Adam Thomas uncovered the exploit which revolves around the way that the Internet Explorer browser handles a particular form of graphics known as vector graphics. A properly crafted webpage can exploit this problem and install almost anything they want on the target machine. Unusable PC Tests by Sunbelt Software on a Windows machine patched with all the latest security updates showed attackers installing a huge amount of spyware and other malicious programs." http://news.bbc.co.uk/2/hi/technology/5365296.stm Imhotep |
#14
|
|||
|
|||
Microsoft Zero Day security holes being exploited
Karl Levinson, mvp wrote:
"imhotep" wrote in message ... "Hackers gained access to HostGator's servers late Thursday and began redirecting customer sites to outside web pages that exploit an unpatched VML security hole in Internet Explorer to infect web surfers with trojans. I guess this shoots your theory to crap, eh? Not really. Trend Micro's numbers for the VML exploit are still at zero. The same "mass hackings" of web sites also happened with Download.ject and Qhosts, and yet those infected very few hosts. You just aren't getting the message that browser vulns are widely overrated as a means for infecting or compromising systems. Even if there is no patch for a particular browser vuln, people running antivirus are largely protected anyways. http://www.trendmicro.com/vinfo/viru...S&Perio d=All Oh yea, I bet they are lying too... No, that article just doesn't say what you think it says. It doesn't say that large numbers of people are being infected by this. The fact of the matter is this. Nobody knows for sure how many people have been infected by this. Nobody knows for sure how many will be infected by this tomorrow...and the day after that and so on. How does anyone know? How does Trend Micros know? What do they do scan .01% of the web sites out there and make a judgment? This is foolishness. Clearly secure holes need to be addressed and evaluated by their severity. Clearly this security hole is quite severe. Clearly there needs to be a patch in record time (like the DRM patch)... Imhotep |
#15
|
|||
|
|||
Microsoft Zero Day security holes being exploited
Ian wrote:
Think we'll only achieve secure computing when C is dropped in favour of a better language. The list of buffer-overflow exploits in every single major software-package gets monotonous. As a C programmer (one of many languages I know) that is one of the most foolish statements I have heard all year. Buffer-overflows are not caused by the programming language. They are caused by bad programmers!!!!!!!!!!!! The problem here is that some people want a language to cover up their lack of programming skills!!!!!!! Utter foolishness!!! After all, nobody ever got prosecuted for 'Not realising that guy was going to do something silly.' But people do get prosecuted for driving cars with no brakes. If you do not possess the skills to drive a car, why are you attempting to drive it??? Driving a car requires a skill set, if you do not possess it, don't drive...in either case don't blame the car for your ineptness. Imhotep |
Thread Tools | |
Display Modes | |
|
|