| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 1 Jul 2004 09:46:50 -0700 From: Nicholas Weaver <nweaver@...berkeley.edu> To: Jeremy Epstein <jeremy.epstein@...methods.com> Cc: Anything But Microsoft <abm@...thingbutmicrosoft.org>, "<@securityfocus.com BUGTRAQ" <BUGTRAQ@...urityfocus.com> Subject: Re: Microsoft technologies. By default, non-HIPAA compliant? On Wed, Jun 30, 2004 at 01:43:11PM -0400, Jeremy Epstein composed: > A slightly less draconian configuration might have a filtering router that > only allows users to visit particular sites; in that case also, the IE > problems would be of no concern (since the redirect to the Russian and > Estonian sites could be prevented). This would not be the case, as the trojaned sites could easily present the malware directly, rather than contacting a third party site. That it didn't is simply a sign that the attacker was less clever and creative than he could have been. Thus all sites which can be contacted need to be "trusted". > The latest set of attacks demonstrate some pretty bad problems, and > Microsoft deserves a lot of criticism. But let's not go overboard. A better criticism is that, yeah, QA is important, but this is a known critical exploit for over a WEEK now and there is no patch in sight. That the crisis hasn't bloomed further with the simple hack: Make the malcode modify any .html it can find, and include itself on that site for download, combined with the continual attacks on IIS sites, banner servers, etc... is a mystery to me. -- Nicholas C. Weaver nweaver@...berkeley.edu
Powered by blists - more mailing lists