lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue Mar 28 07:18:34 2006
From: a059d8e0a9s8d0 at hotmail.com (s89df987 s9f87s987f)
Subject: EEYE: Temporary workaround for IE
	createTextRange vulnerab



On 3/27/06, Valdis.Kletnieks@...edu <Valdis.Kletnieks@...edu> wrote:
<snip>
>Somebody has to deploy firefox on the desktops (a pain in the butt even if
>you *do* use a Windows GPO to push it - something odd will go wrong with 
>some
>of the boxes, requiring support).

the same thing could be said for a 3rd party patch

>Somebody has to make sure that *all* the bookmarks and configuration 
>settings
>migrated correctly, and to help the users who have issues.
when firefox is first ran it will ask the user if they would like to import 
bookmarks and settings from IE


>Somebody has to handle all the odd support calls that converting to Firefox
>will cause.
such calls could also occur while using the said patch or worse when a 
system becomes compromised

>Somebody gets to retrain all the users who memorized things by rote.  If 
>'print'
>moves from the 3rd entry on the second from the left menu to the 7th entry
>on the leftmost menu, that will ruin their day.
you're overplaying that situation

>All this stuff adds up.  And then of course, what is your solution when the
>inevitable (there's been several already) security issue in Firefox comes 
>out?
>Everybody swap back to IE?

lets look at severity recent events

-IE
-- oversized img dim cause windows a BSOD
-- WMF && createTextRange = Remote Code Execution


-FF
-- overly large html title = caused FF not to open on the next execute
but the remedy was easy enough and while an update was being prepared, users 
could disable js or install a FF extention so to only allow js from trusted 
sites


I would say this is far less as serious than a BSOD and/or Remote Code 
Execution
M$ took their time on the oversized img dim crash while Mozilla put out a 
patch shortly of the discovery about the title bug

FF is a viable solution

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ