Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cryptogram Judges MS Security

Posted by CmdrTaco on from the who-do-you-trust dept.

johnfoobar writes "The latest issue of Bruce Schneier's Cryptogram has a section entitled 'Judging Microsoft' which aims to "provide a list of measurable recommendations, so that the community can judge Microsoft's sincerity." Required reading if you use Microsoft products." Update: 02/15 18:15 GMT by M : A better link is Schneier's first essay this month, which is about Microsoft's "Trustworthy Computing" initiative.

2 of 204 comments (clear)

  1. MS02-005 cumulative patch by jamie · · Score: 4, Flamebait
    Bruce Schneier wrote in this month's Crypto-Gram, sent out this morning sometime:

    "Anyone remember Scott Culp ... touting how fast Microsoft was at patching problems? There's a new vulnerability in IE that Microsoft is busy ignoring."

    This was the first I'd heard of it, though I've gone to microsoft.com and asked to be put on Microsoft's mailing list for security alerts. About three hours later, the email finally arrived from Microsoft, four days late:

    To: jamie@mccarthy.vg
    Subject: Microsoft Security Bulletin MS02-005
    Date: Fri, 15 Feb 2002 07:33:02 -0800

    Title: 11 February 2002 Cumulative Patch for Internet Explorer
    Date: 11 February 2002
    Software: Internet Explorer
    Impact: Run Code of Attacker's Choice
    Max Risk: Critical
    Bulletin: MS02-005

    This is a cumulative patch that, when installed, eliminates all previously discussed security vulnerabilities affecting IE 5.01, 5.5 and IE 6. In addition, it eliminates the following six newly discovered vulnerabilities...

    What Microsoft didn't mention was that, before I got its security alert, someone had posted to bugtraq this assessment of their patch:

    From: Thor Larholm <Thor @ (no spam) jubii . dk>
    To: "'bugtraq@securityfocus.com'" Subject: Update on the MS02-005 patch, holes still remain
    Date: Tue, 12 Feb 2002 15:25:11 +0100

    ...2 critical vulnerabilities are still remaining.

    1. codebase localpath
    Allows execution of arbitrary commands.
    Publicly known since January 10th 2002.
    Severity: Critical.

    2. XMLHTTP
    Allows reading of local files.
    Publicly known since December 15th 2001.
    Severity: Critical for homeusers.

  2. Re:Covered previously by alecks · · Score: 0, Flamebait

    This article is CRAP:

    "The best prevention for attacks against a feature is for the feature not to be there. "

    LOL!

    --
    The Digital Couture Collection