lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200406251853.i5PIr4uI017422@web122.megawebservers.com>
Date: Fri, 25 Jun 2004 18:53:04 -0000
From: "http-equiv@...ite.com" <1@...ware.com>
To: <bugtraq@...urityfocus.com>
Subject: Microsoft and Security




Where is Microsoft now "protecting their customers" as they love 
to bray? Should not someone in authority of this public company 
step forward and explain themselves at this time?

All of sudden panic is being created across the WWW with "IIS 
Exploit Infecting Web Site Visitors With Malware", "Mysterious 
Attack Hits Web Servers", "Researchers warn of infectious Web 
sites" all stemming from all news accounts from an 
unpatched "problem" with Internet Explorer now two weeks old and 
counting, which in fact in reality stems from 10 months ago, 
that being the adodb.stream safe for scripting control with 
write capabilities.

What exactly is being done about this? Nothing. What does 
multiple billions of dollars buy you today. Nothing. However for 
$20 million you can almost fly to the moon.

Someone ought to step forward and explaini what exactly is 
happening at this public company. The great "protector of their 
customers". One might even suggest that their entire "security" 
mandate be re-examined. What exactly do they consider a 
vulnerability? Something that suits them or something that's 
cost effective to fix. So what, a few people lose their 
identities, have a few dollars extracted from their bank 
accounts, have their home pages reset, we'll fix it when it 
suits us as we have to be on budget this quarter. The  Big Boss 
says $40 billion isn't enough this year. 

A vulnerability:

http://www.microsoft.com/technet/archive/community/columns/securi
ty/essays/vulnrbl.mspx

"A security vulnerability is a flaw in a product that makes it 
infeasible – even when using the product properly—to prevent an 
attacker from usurping privileges on the user's system, 
regulating its operation, compromising data on it, or assuming 
ungranted trust."

what this gibberish? For the past 10 months the adobd.stream 
object is capable of writing files to the "all important 
customer's" computer. It has real world consequences. It rapes 
their computer. Does it fit into the gibberish custom 
definition. Plain and simple: "A security vulnerability is a 
flaw in a product that makes it infeasible". What kind of 
language is this. Reads like the financial department conjured 
it up.

Disabling scripting won't solve it. Putting sites in one of the 
myriad of "zones' won't solve it. Internet Explorer can 
trivially be fooled into operating in the less than secure so-
called "intranet zone" and it can be guided there remotely.

What's happening here. Where is the Microsoft representative 
explaining all of this to the shareholders and "customers" they 
so dearly wish to protect.  This is unacceptable.  Someone must 
be held accountable.


-- 
http://www.malware.com







Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ