Domain: safecenter.net
Stories and comments across the archive that link to safecenter.net.
Comments · 23
-
Re:What patch?
I dont know how up to date this list is. But a quick google will show you plenty of other lists of unpatched IE flaws. Personally I gave up using IE when my system was crapped out by 180 solutions spyware that was using a variation of a supposedly patched flaw (the patch was later updated).
-
Re:not much...
There are at least two other IE exploits out there that MS has not patched, and SP2 won't protect you. see: http://isc.sans.org/diary.php?date=2004-11-20 Quote: Two More IE Vulnerabilities Exploit code has been released for two more Internet Explorer vulnerabilities that were released on Wednesday (Nov. 17). This code would enable an attacker to trick users into executing malware. These vulnerabilities affect Microsoft Internet Explorer 6.0 SP2 and are not prevented by Windows XP SP2. The original advisory is here: http://secunia.com/advisories/13203/ The proof of concept exploit: http://www.k-otik.com/exploits/2041119.IESP2discl
o sure.php While on the topic, it is interesting to note some statistics that Secunia has been compiling about Internet Explorer vulnerabilities: IE 5.01 - 42 advisories (7 unpatched) http://secunia.com/product/9/ IE 5.5 - 55 advisories (8 unpatched) http://secunia.com/product/10/ IE 6.0 - 69 advisories (18 unpatched) http://secunia.com/product/11/ If you still think SP2 has mystical properties: http://www.safecenter.net/UMBRELLAWEBV4/ie_unpatch ed/ -
Re:Protecting the Monopoly
Microsoft's enormous mistake was to drop IE for the Mac.
IMHO their biggest mistake was not fixing vulnerabilities in IE in a timely manner. I don't recall hearing much about the marketshare for alternative browsers increasing until after the latest round of IE security problems in the past few months. Since many folks have been hit with Blaster and Sasser, the masses seem to take security updates more seriously. There have been plenty of IE vulnerabilities in the past, but they never seemed to get as much press as they have lately.
Go have a look at the securityfocus.com archives. There are lots of posts about IE vulnerabilities, several of which Microsoft just flat-out refused to patch, probably because some manager at Microsoft did not think the problems were serious enough, and didn't want to "pony up" the resources. The entire company has paid for those decisions.
There was a guy at pivx.com that used to maintain a list of unpatched IE bugs, but the page seems to have disappeared. It's been quite some time since I looked at the list, but in some cases issues went unpatched for *YEARS*! Now, how exactly can Microsoft claim to take security seriously?
A quick google search turned up this page of still unpatched IE vulnerabilities. The list is still quite long. -
Re:All MS needs to do to compete is imitate
Just watch Safari & Firefox development and imitate the functionality. Joe User then has no compelling reason to switch.
I can think of a few compelling reasons...
-- james -
Re:One of the reasons i love firefox
Except in the rare *laugh* cases like these.
-
1 down, 23 to go
Now they just need to fix the other 23 unpatched vulnerabilities
-
Re:Coming events
I guess Security Focus is just making this stuff up. I am glad the security industry doesn't accept your "good effort" as a means to see if something is an exploit. You sound like an IE apologist.
-
Re:Coming events
That is just one of many
-
Re:Coming events
Here are some. Some may be a year or so old, and I don't recall what links I sent as examples. Google should help you find all you need.
Microsoft software "riddled with vulnerabilities", trade body claims
30 unpatched holes in IE, says security researcher
Credit card theft feared in Windows flaw | CNET News.com
Microsoft Issues Five New Security Warnings
Microsoft WinXP Update spies on other PC software
Microsoft issues patch for "serious" XP hole
Microsoft Windows Insecure by Design (TechNews.com)
Server attacks stump Microsoft
Windows flaw threatens PC services
Gartner: Worms Jack Up the Total Cost of Windows
CERT recommends anything but IE
Exploiting design flaws in the Win32 API for privilege escalation
Worm Exploits Multiple Windows Vulnerabilities
Unpatched Internet Explorer Bugs -
Re:Business Lesson 101
And what about the twenty four unpatched IE vulnerabilities?
-
Re:Reently installed, uninstalled FireFoxWhat's your IP?
You're seriously naive if you think that IE is in any way secure by default, or secure when patched up. It might be secure if you set your local zone to high security settings, but then it's almost useless to all but your trusted sites.
Read these links, and you'll see:
-
http://www.safecenter.net/UMBRELLAWEBV4/ie_unpatch ed/ - http://www.guninski.com/browsers.html
- http://www.malware.com
There has been at least one reported incident where spyware authors have discovered and exploited a hole in IE (i.e. it was not published on any security mailing list, and no patch currently exists). This is an undisclosed vulnerability which was genuinely found
in the wild. (the register covered this too). -
-
I'll respond to all of you in this one post...
Alright, It seems you're all fixated on the sizing issue in IE that as people have pointed out is easily remedied by correctly stating the doctype. I'm not at all talking about these little issues that aren't 100% bugs, because they can be worked around and such. What I'm getting at is more of the real design issues where you have to give up on a design element or spend many hours creating a work around to get it to display in accordance with standards on IE, when it worked just fine on every other browser across the board. Simple example is the fieldset/legend bug. When you create a fieldset and apply a legend (special kind of title... think of the option groups on forms where the title is put across the top of the box) IE colors the background color outside of the lines above the title. That's just one example, there are literrally hundreds of these kinds of issues that you have to deal with when making a commercial website. Yes, that's right, you do have to deal with them when making a commercial website, contrary to the words that have been pushed into my mouth, I never said that you shouldn't deal with these issues on commercial sites, I said simply that I don't bother with it on "MY OWN WEBSITES" anymore.
Second, firefox does not go unpatched of critical flaws for the amount of time that IE does. Furthermore, there are no outstanding critical flaws in mozilla Firefox 0.8 to my knowledge, and I haven't applied one patch since I originally installed it. Let's take a look at IE on the other hand reveals 24 unpatched security issues, many of which were critical, at last update. This is unacceptable, and is a considerably large source of adware/spyware/malware/viruses. Which is a considerably large source for Spam, Lost Company revenue due to computer outages (from badly coded malware/spyware and from viruses), as well as a considerable amount of cost in time for the IT infrastructure to fix.
These are the reasons that while IE is obviously the most used browser right now, it is in no way guaranteed to stay that way. You people do realize that netscape was once king, right? Furthermore, I myself have referred firefox 0.8 to at least 50-75 end users for personal use, in addition to participating in the decision to move the company over to mozilla. I have yet to have a single complaint or person tell me when asked that they chose not to keep it. Every single person has decided to keep it, and most have thoroughly thanked me for the sound recommendation, and have let me know that they are VERY happy with their new browser, and that they will be recommending it to all their friends/family. I'm sorry, but if I get that good of a result, there are most likely others out there that are getting similar if not greater results. That's a lot of people. Regardless, it's firefox seems from my perspective, at least, to be spreading like a virus. It's a great piece of software, that is very well written. I for one will be glad when Internet Explorer is either fixed or loses it's market share, because I assure you that one of the above scenarios is coming very soon.
--Jamon -
Re:Fix now available
Because if you are still using IE after all this time - and all these vulnerabilities, obviously someone in your IT chain is incompetent.
Whether it's the CEO, the IT manager, or you personally, someone isn't doing their job. The typical lame excuses of incorrect rendering or ActiveX or the fact that people can't visit their favorite game sites are all solvable. Obviously someone just doesn't care enough.
I don't think anyone is bound to coddle you, in any event.
-
SECURITY!
-
Please learn how to make links.Please learn how to make links.
<a href="http://www.safecenter.net/UMBRELLAWEBV4/ie_
yields: safe centeru npatched/index.html">safe center</a>
etc. -
Re:the registry keyare there any other windows browsers that people can run that won't suffer from the exploit?
Yes. Mozilla. It does not have this vulnerability nor any of the numerous other unpatched IE security vulnerabilites. Plus it offers nice tabbed browsing and a working popup blocker. It works on all operating systems and is free. There's really no reason not to use it.
-
So if this is true...
Then what are these guys talking about?
-
Re:Partly right
-
IE unpatched bugs (with exploits)
here. I rest my case.
-
Probably an autoproxy, not a virus
I was analyzing something very similar around October of last year when I worked here. They probably aren't installing a virus, per se -- more like an autoproxy which they will use to send spam or install more malware (e.g., to steal passwords or credit card numbers).
All the vulnerabilities mentioned in the article have been known for quite some time. Liu Die Yu's Unpatched IE vulnerabilities page documents several of these in detail, with exploit examples. (Note that some of the links on Liu Die Yu's site may result in popups, ironically.)
When I took a look at it, the proxy flavor of the month was most commonly referred to as ap216.exe the filename is irrelevant, obviously). A good description of it is here, in the context of its use in a phishing scam.
Note that everything done in this attack will blithely go through most firewalls -- almost all connections are initiated from within the network. Firewalls are an increasingly inadequate means of protecting users from organized and motivated attackers. IMO, any network admin who doesn't run deep-packet inspection firewalls, intrusion prevention, or security-minded filtering application proxies is asking for it.
Sure, someone could write something to quietly delete all the files on your hard drive. I'm sure he'd rather have all the spam your machine can send, or all the money from your bank account.
phil -
Re:Microsoft Security
Microsoft Security. What's it all about? Is it good, or it is whack?
I'd have to say whack. As is this report. Crowing about the lack of reported vulnerabilities means nothing when you have paid security firms not to report vulnerabilities! Of COURSE the vulnerabilities reported have decreased. But have the real vulnerabilities decreased? Thanks to Microsoft, we will never know.
Without subjecting themselves to the same review other operating systems undergo, they have no cause to crow about a perceived dearth of vulnerabilities, especially since many previously reported vulnerabilities persist and will not be patched (but are not included in this report since they are not newly reported).
-
Re:Sometimes it's all about timingLook at the researcher's site:
http://www.safecenter.net/UMBRELLAWEBV4/ie_unpatc
h ed/There used to be a bigger list at: http://www.pivx.com/larholm/unpatched/ but hey MS didn't do anything about it.
So might as well just report it directly to the public and skip all the MS BS.
-
Re:Bad news
You consider "built on IE" as pretty good? What about the numerous unpatched security vulnerabilities?
This one has worked on 2 of the 3 fully patched windows machines that I've tried it on. In IE only, of course.