lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <OF378E8751.782ADB4B-ON80256F4D.002D25A7-80256F4D.002FD10B@csplc.com>
From: Colin.Scott at csplc.com (Colin.Scott@...lc.com)
Subject: IE is just as safe as FireFox

Yes perhaps I'm being a little close minded.

I know that WFP can be switched off and all that, but this is real life. We
don't have the luxury of 1 single domain controlling all our clients, we
are talking multiple NT/2000/2003 domains, multiple OS's, multiple Admins.

I am complaining (more the point I am trying to make as others are on the
list) directly about the situation we are in with the patching of Windows
products.  We feel like we are held to ransom by MS's security team while
they drink their coffee testing new patches on Dells with no doubt MS-only
apps installed. Meanwhile we have to go out and spend hundreds of thousands
of pounds on products that we shouldn't have to purchase. Or engineer
tricky methods to make changes to the whole estate just so we can feel a
little happier running windows (will we ever feel happy?).

We use SUS and currently its switched off. Why? Because one of MS's helpful
little patches has been eating machines, or more accurately WFP has been
helpfully putting DLLs back to the old version without warning, result
non-booting machine. An open call with MS PSS has given us no fix (c'mon
pull the finger out guys)

So currently we are damned if we do patch and damned if we don't.

Maybe you'll understand why I'm a little tetchy on the subject now (as I'm
sure others are too), and why I responded to Rafel's comments so
aggressively.  His comments weren't helpfull, anyone can put forward a
suggestion that costs way over 200k GBP.

Back on topic though, IE is no where near Firefox for security, however,
does Firefox come with a roll out method? Does it work for our critical
apps? Can the Firefox settings be controlled centrally? I'm sure I could
spend weeks figuring out methods to get Firefox to do these things, maybe
by that time MS will have patched IE (im not holding my breath).  The MS
guy that said the origonal comment should have known when he said it he was
dropping a clanger.

Cheers,

Colin.






                                                                           
             "Michael                                                      
             Evanchik"                                                     
             <mevanchik@...ati                                          To 
             onship1.com>              <Colin.Scott@...lc.com>,            
             Sent by:                  <full-disclosure@...ts.netsys.com>  
             full-disclosure-a                                          cc 
             dmin@...ts.netsys                                             
             .com                                                  Subject 
                                       RE: [Full-Disclosure] IE is just as 
                                       safe as FireFox                     
             12/11/2004 16:15                                              
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




I disagree Colin,

A good administrator knows there is more then one way to skin a cat.
Rafel,
I belive was just briefly stating some solutions to the problem.  I can
tell
you windows protection can be defeated with a few registry changes.
Combine
that with an active directory login script and I believe that is one way to
solve the issue.  It is wrong to complain and give up if you administrator.
Talk to you developer, im sure he will have a solution  =)

Mike

www.michaelevanchik.com


-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of
Colin.Scott@...lc.com
Sent: Friday, November 12, 2004 9:46 AM
To: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] IE is just as safe as FireFox

More infinate wisdom there Rafel.

Price per license for "Finjan's Vital Security for Web" = 9.50GBP per user
+ 20% support per annum, roughly equates to 160,000GBP (plus any hardware,
software and network requirements) to cover us with your no doubt
class-leading product.  I'm sure that the Directors will love to cough up
another 160 grand when we are already paying MS for Premier support.

Use SUS to install XP SP2 to 14,000 Windows 2000 machines? Somehow I think
that will be problematic.

Replace the SHDOCVW.DLL with the XP SP2 version? On Windows 2000 machines?
And what about the practical problems getting round Windows File
Protection? On 14,000 machines? Do you want to come in here and try what
you suggest?

I think Rafel you need a lesson in being a Windows Administrator before
posting your very helpfull posts to this list.

So thanks but no thanks.

Colin.











             "Rafel Ivgi,
             The-Insider"
             <theinsider@....n                                          To
             et.il>                    <full-disclosure@...ts.netsys.com>,
                                       <Colin.Scott@...lc.com>
             12/11/2004 14:08                                           cc

                                                                   Subject
                                       Re: [Full-Disclosure] IE is just as
                                       safe as FireFox










If you do have 14000 machines why don't you buy "Finjan's Vital Security
For
Web"?
It will filter all malicious I.E exploits for all its surfers(its a proxy,
quite fast...)

Or just use SUS(system update server (microsoft)) just like any other
administrator... to install sp2 or to just
replace the c:\windows\system32\shdocvw.dll with the patched one or with
sp2
one...

Rafel Ivgi, The-Insider
Security Consultant
Malicious Code Research Center (MCRC)
Finjan Software LTD
E-mail: rivgi@...jan.com
---------------------------------
Prevention is the best cure!
----- Original Message -----
From: <Colin.Scott@...lc.com>
To: <full-disclosure@...ts.netsys.com>
Sent: Friday, November 12, 2004 12:46 PM
Subject: Re: [Full-Disclosure] IE is just as safe as FireFox


Oh yeah, I've got 14,000 Windows 2000 machines to update to windows XP SP2,
hang on wheres that CD?

So thanks for your infinate wisdom there Rafel.

Colin.









            "Rafel Ivgi,
The-Insider"
<theinsider@....n                                          To
et.il>                    <full-disclosure@...ts.netsys.com>
Sent by:                                                   cc
full-disclosure-a
dmin@...ts.netsys                                     Subject
.com                      Re: [Full-Disclosure] IE is just as
safe as FireFox
12/11/2004 06:44



That is incorrect, there is a fix --> SP2.
Users  should use the latest updated system, meaning if there is an SP2,
they
should install it.


Rafel Ivgi, The-Insider
Security  Consultant
Malicious Code Research Center (MCRC)
Finjan Software  LTD
E-mail: rivgi@...jan.com
---------------------------------
Prevention  is the best cure!
----- Original Message -----
From: "Martin Mkrtchian"  <dotsecure@...il.com>
To: "Todd Towles" <toddtowles@...okshires.com>
Cc: "Mailing List -  Full-Disclosure" <full-disclosure@...ts.netsys.com>;
<ring-of-fire@...oogroups.com>
Sent: Friday,  November 12, 2004 3:03 AM
Subject: Re: [Full-Disclosure] IE is just as safe  as FireFox


> They should've at least released that statement after  they fixed the
> IE FRAME vulnerability. 0 day exploit is in the wild and  no fix for
> it, yet they claim its secure enough.
>
> If the  programmers are as smart as the company press releasers, I can
> see   why I.E. still sux.
>
>
> Martin
>
>
> On  Thu, 11 Nov 2004 15:59:20 -0600, Todd Towles
> <toddtowles@...okshires.com> wrote:
>> Microsoft's  security and mangement product manager (Ben English)
says...
>>
>> At a security roundtable discussion in Sydney on  Thursday, Ben English,
>> Microsoft's security and management product  manager, told attendees
that
>> IE undergoes "rigorous code reviews"  and is no less secure than any
>> other  browser.
>>
>> "Because IE is ubiquitous, you hear a lot more  about it, but I don't
>> think that Internet Explorer is any less  secure than any other browser
>> out there," English  said.
>>
>> http://news.com.com/Microsoft+says+Firefox+not+a+threat+to+IE/2100-1032_
>>  3-5448719.html?part=dht&tag=ntop&tag=nl.e433
>>
>> Can  anyone say IFRAME? Lol
>>
>> -Todd
>>
>>  _______________________________________________
>> Full-Disclosure - We  believe in it.
>> Charter: http://lists.netsys.com/full-disclosure-charter.html
>>
>
>  _______________________________________________
> Full-Disclosure - We  believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html






****************************************************************************

**********


This e-mail is confidential and may contain privileged information.  If you
are not the addressee or if you have received the e-mail in error, it may
be unlawful for you to read, copy, distribute, disclose or otherwise use
the
information which it contains.  Under these circumstances, please notify
us immediately by returning this mail to 'mailerror@...lc.com' and deleting
this e-mail from your system.

Any views expressed by an individual within this e-mail do not necessarily
reflect the views of Cadbury Schweppes Plc or its subsidiaries.  Cadbury
Schweppes Plc will not be bound by any agreement entered into as a result
of this email, unless its intention is clearly evidenced in the body of the
email.
Whilst we have taken reasonable steps to ensure that this e-mail and
attachments are free from viruses, recipients are advised to subject this
mail
to their own virus checking, in keeping with good computing practice.
Please
note that email received by Cadbury Schweppes Plc or its subsidiaries may
be
monitored in accordance with the prevailing law in the United Kingdom.

****************************************************************************

**********


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ