[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <40E11492.9070009@sbcglobal.net>
Date: Tue, 29 Jun 2004 00:04:50 -0700
From: Steve Kudlak <chromazine@...global.net>
To: Nancy Kramer <nekramer@...dtheater.net>
Cc: "Burnes, James" <james.burnes@....com>, 1@...ware.com,
bugtraq@...urityfocus.com, NTBugtraq@...tserv.ntbugtraq.com,
full-disclosure@...ts.netsys.com
Subject: Re: Microsoft and Security
To a certain extent you are right. I dunno if this is the place to
discuss all
these very general issuesd, although many pf the reasons that IE has so many
problems may come from the very fact that there is some minority of sites
that are very IE only.and that large enterprises sometimes declares "thou
shalt use Outlook". Well some small places too. I notice many public
libraries have IE as their internal browser.
This is interesting because my local library goes to extraordinary lengths
to prevent people doing nasty things to their computer. For example one
can not bring in floppy disk, or CDs and the public browser is pretty
limited.
But it still lets you surf anywhere you wanted. Now if there were a
mailcious
site that could work ill WITHOUT DOWNLOADING that would be really
bad news for the limited public access that many people have.
What would be nice is some HTML code to test things like browser
vulnerabilities, especially those often reported. They could be put
up in some well marked demo site with flags about be careful with
this, so someone who is interested could test browsers and resolve
these "which browsers are safer" questions and also allow people to
put pressure on various browser development teams to make browsers
safer for the benefit of everyone.
Have Fun,
Sends Steve
Nancy Kramer wrote:
> There are lots of sites written only for IE or clones of IE like
> Opera. Some large sites are written only for late model IEs. Many
> are from large companies. Big business thinks MS is the state of the
> art and the only way to go for business. You have a choice do it
> their way or don't get the benefits of their web site. They play to
> the user who has AOL, uses only IE and Outlook with all the defaults
> on because if MS does it it must be right and they really have no
> interest in changing things or knowing about them. People believe
> they are protected by big companies like MS. They are fools but then
> like a friend of mine always says "business people are stupid".
>
> They believe that the US government should protect them from hackers
> and spam. That cannot be done but they don't understand that and
> neither do the US legislators.
>
> Regards,
>
> Nancy Kramer
> Webmaster http://www.americandreamcars.com
> Free Color Picture Ads for Collector Cars
> One of the Ten Best Places To Buy or Sell a Collector Car on the Web
>
>
> At 05:23 PM 6/28/2004, Burnes, James wrote:
>
>> Well, this is an predictable, but interesting quote from IDefense...
>>
>> [IDefense linked the malicious attacks to a group by a different name
>> called the hangUP team, also from Russia and also believed to be
>> responsible for the recent string of Korgo worms, Dunham said.
>>
>> "These are hackers for hire and they commoditize every piece of
>> information they capture. This was a very complicated and sophisticated
>> attack," he said.
>>
>> Security experts were still trying to determine Friday how IIS servers
>> were compromised and whether applying the latest patches for IIS and
>> Internet Explorer would protect users from the attacks.
>>
>> "My gut feeling is (patching) doesn't protect you," Dunham said. "If I
>> were a home user, I'd consider using another Web browser, like Mozilla,
>> until a patch comes out," he said.] (nwfusion - 06/25/2004)
>>
>> Well, of course. By why go back to IE unless someone wrote apps that
>> only run on IE and what's the point of that. Might as well write them
>> in VB.
>>
>> jim burnes
>> security engineer
>> great-west, denver
>>
>>
>> > -----Original Message-----
>> > From: full-disclosure-admin@...ts.netsys.com [mailto:full-disclosure-
>> > admin@...ts.netsys.com] On Behalf Of http-equiv@...ite.com
>> > Sent: Friday, June 25, 2004 9:41 AM
>> > To: bugtraq@...urityfocus.com
>> > Cc: NTBugtraq@...tserv.ntbugtraq.com; full-disclosure@...ts.netsys.com
>> > Subject: [Full-Disclosure] Microsoft and Security
>> >
>> >
>> >
>> > Where is Microsoft now "protecting their customers" as they love
>> > to bray? Should not someone in authority of this public company
>> > step forward and explain themselves at this time?
>> >
>> > All of sudden panic is being created across the WWW with "IIS
>> > Exploit Infecting Web Site Visitors With Malware", "Mysterious
>> > Attack Hits Web Servers", "Researchers warn of infectious Web
>> > sites" all stemming from all news accounts from an
>> > unpatched "problem" with Internet Explorer now two weeks old and
>> > counting, which in fact in reality stems from 10 months ago,
>> > that being the adodb.stream safe for scripting control with
>> > write capabilities.
>> >
>> > What exactly is being done about this? Nothing. What does
>> > multiple billions of dollars buy you today. Nothing. However for
>> > $20 million you can almost fly to the moon.
>> >
>> > Someone ought to step forward and explaini what exactly is
>> > happening at this public company. The great "protector of their
>> > customers". One might even suggest that their entire "security"
>> > mandate be re-examined. What exactly do they consider a
>> > vulnerability? Something that suits them or something that's
>> > cost effective to fix. So what, a few people lose their
>> > identities, have a few dollars extracted from their bank
>> > accounts, have their home pages reset, we'll fix it when it
>> > suits us as we have to be on budget this quarter. The Big Boss
>> > says $40 billion isn't enough this year.
>> >
>> > A vulnerability:
>> >
>> > http://www.microsoft.com/technet/archive/community/columns/securi
>> > ty/essays/vulnrbl.mspx
>> >
>> > "A security vulnerability is a flaw in a product that makes it
>> > infeasible - even when using the product properly-to prevent an
>> > attacker from usurping privileges on the user's system,
>> > regulating its operation, compromising data on it, or assuming
>> > ungranted trust."
>> >
>> > what this gibberish? For the past 10 months the adobd.stream
>> > object is capable of writing files to the "all important
>> > customer's" computer. It has real world consequences. It rapes
>> > their computer. Does it fit into the gibberish custom
>> > definition. Plain and simple: "A security vulnerability is a
>> > flaw in a product that makes it infeasible". What kind of
>> > language is this. Reads like the financial department conjured
>> > it up.
>> >
>> > Disabling scripting won't solve it. Putting sites in one of the
>> > myriad of "zones' won't solve it. Internet Explorer can
>> > trivially be fooled into operating in the less than secure so-
>> > called "intranet zone" and it can be guided there remotely.
>> >
>> > What's happening here. Where is the Microsoft representative
>> > explaining all of this to the shareholders and "customers" they
>> > so dearly wish to protect. This is unacceptable. Someone must
>> > be held accountable.
>> >
>> >
>> > --
>> > http://www.malware.com
>> >
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > Full-Disclosure - We believe in it.
>> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists