From: lsawyer at gci.com (Leif Sawyer)
Subject: IE

On Mon, July 19, 2004, Eric Paynter replied to:
> nicolas vigier, whom said:
>> The real solution is to use a browser with no known 
>> vulnerability (and that's better if it didn't have
>> a lot in the past), not to try to hide what you
>> are using.
> 
> That's not always possible. Sometimes, changing the browser 
> is a project that will take months to complete (think: 
> corporation with thousands of PCs at hundreds of sites - it 
> takes time to create the business case, get funding, 
> build/test the auto install package, retrain the end users, 
> etc.). In the period of exposure, any little bit helps 
> (albeit, minimally). This small change can probably be done 
> in a couple of weeks with no impact to the user.

Not to mention all the vendors out there whose products have
assinine restrictions, because they can't be bothered to code
portable web-apps.

Think Cisco, for one.

I personally think that _EVERYBODY_ with a CCO contract should
open up a TAC case complaining that X-application (website,
RME, VMS, etc..) doesn't work with a W3C-Standards Compliant
browser, nor with latest-bug-fixed JREs.

I've already got mine open, but of course "Use I.E. or some
old version of Netscape Navigator, and an old JRE!" is the
typical response.   They need a lot more prodding to keep their
security platform up-to-date with security standards.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3767 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040719/7fed8810/smime.bin

Powered by blists - more mailing lists