|
Posted by Imhotep on November 26, 2005, 11:13 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Has anyone notice that there is not a single meantion of the latest IE vuln
in the news (popular news sites like cnn, yahoo, bbc, etc)???
Imhotep
|
|
Posted by Alun Jones on December 2, 2005, 5:41 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>Please, spare me. What I said was given the choice of a browser blowing up
>or allowing ANY web site to run ANY binary on my PC, I would wisely choose
>my browser blowing up. Now, face it, once and for all, your mighty
>Microsoft, yet again, screwed thier customers by not putting any "research"
>into evaluating this serious security hole. You can fight this fact, and
>try to twist words around but, all you do is prove to me that I am right in
>saying "Yet again MS users are better off looking at another
>platform"...squirm all you want but you are on the "hook"...
Your argument about Microsoft "not researching" this security issue is
specious. There's an old adage in development that "you can't test bugs out
of a product" - this doesn't just mean that a developer has to fix the
product, it also means that test can only find bugs, it can't prove that all
the bugs have been found.
The same is true of research into a security bug. You can find a way to
exploit a security bug, but no matter how much research you throw into it, you
can't, in general, say "there is no way to exploit this security bug".
A while back, the accepted opinion was that heap memory was impossible to
exploit. Nowadays, it's clear that this is no longer true. Similarly, it may
have taken a leap of logic to find out exactly how to exploit what appeared to
its researchers to be merely a DoS.
Don't forget that Microsoft wasn't alone in researching this issue - the
original discoverer was also researching it, and categorised it as a DoS only,
as well. Only recently has it become clear that it is exploitable. As a
result, with all the research suggesting that the bug was a DoS, it was
handled correctly as a DoS.
What I'd like to ask is, if it's so easy to make this into an exploit, why
_you_ weren't pointing this obvious fact out to Microsoft six months ago? You
make it abundantly clear above that you are superior to Microsoft's own
security staff, yet even you were unaware that this exploit existed. Why is
that?
Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | alun@wftpd.com.
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
|
|
Posted by Alun Jones on December 2, 2005, 5:41 pm
If you were Registered and logged in, you could reply and use other advanced thread options >....So what you are saying is that Microsoft can not get patches (or asses
>security holes) right either? OK, I agree with that....
What I am saying is that noone assessed this security hole "right", for its
first six months of existence; and that patches take time and require testing,
that they often require a reboot, and that users get irritated with repeatedly
having to reboot machines for updates that fix minor problems.
>Oh, there was the 051 patch fiasco...just recently...but hey did you buy the
>new XBox? I heard it has a new "blue Screen" feature! :-)
Why are you obsessed with the XBox? Put it on your list in your letter to
Santa, and wait. There isn't a prize for posting the most articles
referencing it unnecessarily.
Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | alun@wftpd.com.
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
|
|
Posted by Alun Jones on December 2, 2005, 5:41 pm
If you were Registered and logged in, you could reply and use other advanced thread options >Ah you also forgot totally redoing the XBox...I guess that was were their
>attention was....
Enough with the XBox conspiracy theories already. Microsoft is not a single
entity, with only one developer, one tester and one one salesperson - the XBox
division is a different division from anything that you're talking about. The
only way you might claim that patching IE gets delayed to ship the XBox is if
you could show that the IE development team quit to go and work on the XBox.
Without that information, you sound like a loony.
>But, hey, I heard that the XBox was "blue screening" too!!!!!! Somethings
>never change, like Microsoft "quality".
Do you know any software that didn't have bugs creep past testing?
Bugs are a hazard of the profession - what marks one company above another is
not the number of bugs discovered, but what they do to prevent future bugs,
especially future occurrences of the same bug.
Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | alun@wftpd.com.
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
|
|
Posted by Todd H. on December 4, 2005, 11:21 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> You have no idea who I am or what I do for a living. Meatball.
So enlighten us,...umm eggroll.
Mmmmm. Eggrolls.
Or, actually, don't bother because your thought process on this issue
and others speaks a lot louder than your resume would.
> I have asked why this news (I have not looked in about three days) was not
> in the non techie popular news sites. Why? Because it usually are the home
> users getting screwed more than anyone else. This is a legitmate gripe, as
> again, these are the people getting screwed. I would think that someone as,
> ahem, intelligent as you could comprehend that.
It has hit the popular media but no more than any other security issue
would. That it's very serious in widely deployed software, yet the
media isn't hooting and hollering is indeed curious, and lamentable.
That is actually a useful and interesting insight.
But that's not the argument that makes folks think you're off the deep
end on the Microsoft bashing as a result. Let's be clear what we're
arguing about, butter wings.
> > Truth is, this exact same scenario could happen to Mozilla or Opera,
> > or any other software vendor tomorrow if anyone came up with a remote
> > exploit that was related to any prior unfixed, low-threat DOS
> > condition in their products.
>
> Did you even read any of the prior threads? That "gripe" as you put
> it was about how Microsoft with all of it's money dropped that ball
> on a very critical security hole and as such put millions of pc
> users in bad position. It was not about how a security hole could
> come into being on other software (da!).
It's not about money. It's not about resources. Every business is
about managing risk with finite resources. Yes, even MIcrosoft has
finite resources. If it had infinite resources, it wouldn't be
profitable, and would've gone under long ago.
You contend that it's a hanging crime that Microsoft didn't fix a
denial of service vulnerability for 8 months. I, and a lot of others,
evidently disagree with that, and say yours is an unreasonable gripe
because the vulnerability as originally discovered was not that big a
deal.
Yes, NOW it really is a big friggin deal and people should be
concerned. And, with respect to Microsoft's response, reasonable
folks will start the "hangin crime" timer on Microsoft's response to
the issue from the moment the remote code execution exploit of this
vulnerability was released. Not from when the "harmless denial of
service" release date.
Best Regards,
--
Todd H.
http://www.toddh.net/
|
| Similar Threads | Posted | | News Release | April 12, 2006, 10:35 am |
| ISO 17799 News Relocates | June 15, 2005, 9:18 am |
| Mac OS X Security News and Information | February 4, 2006, 6:21 am |
| News about PCs, Laptops, Cell Phones and more... | November 7, 2006, 4:08 pm |
| Edition 12 Of ISO 17799 / ISO 27001 News Published | September 26, 2006, 11:33 am |
| 'Hackerfest' Focuses on Computer Security (R News) | September 27, 2008, 1:09 pm |
| 'Hackerfest' Focuses on Computer Security (R News) | September 27, 2008, 1:09 pm |
| Knowledge is Power - Join my News Letter TODAY - Great Bonusses | September 28, 2005, 4:44 am |
| Re: New Scientist Hackers change tactics to crack open computers - Breaking News | November 24, 2005, 4:40 pm |
| Zero-day IE exploit... | November 22, 2005, 7:46 pm |
|
XML site map