Slashdot Mirror
New IE Holes Discovered
joelt49 writes "Yahoo! News is reporting that 7 new security holes for Internet Explorer have been discovered by a Chinese researcher; however, there apparantly aren't any attacks on IE yet." The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list. Sure, a lot of people don't like Microsoft, but that's no reason to make it worse for the millions of people who are forced to use Microsoft products, especially for security holes which have yet to be exploited.
Russ Cooper made some good points.
I think MS has the responsibility to address their customers concerns immediatelly (naive, I know), especially IE's overly close integration with the OS which causes most of these exploits.
Wearing pants should always be optional.
I like this release.
Disable Active Scripting and find an alternative to IE ("use another product"). Not very realistic unfortunately, when companies have invested so much in integrating (and accepting) some of the flawed functionality in IE.
I do find that people are starting to be a lot more receptive towards MS-alternatives, especially when the mass media is now jumping on the bandwagon as well. Now techies find themselves explaining their choice of MS over and over again, to hype-induced managers.
Wearing pants should always be optional.
Sorry to burst your bubble, but:
1) There are virtually no "integration" issues between Mac OS X and Windows. OS X supportes Samba out of the box.
2) I thought most companies frowned upon games on company computers , on company time ?
hey folks, this was posted to bugtraq some two months ago.
Microsoft has claimed time and again that their response times to security alerts are sterling, as opposed to the "slow" response times for OSS. They make these claims without telling consumers that they have known about the exploit for months and are publicly releasing knowledge right before they release the fix.
This is a case of people letting Microsoft's boastful ways catch up to it. If they are as fast as they have claimed, time and again, there won't be a problem for those people who are diligent in patching.
Additionally with the advent of companies using the DMCA to try and stifle this behavior, it is more important than ever to engage in it and further show the flaws with this absolutely off the wall piece of legislation. See this article.
"Give away the stone, let the oceans take and transmutate this cold and faded anchor." - Maynard James Keenan
Neither does Microsoft, as shown several times when their updates causes 3rd software to break - even in areas the patch wasn't supposed to touch.
Feel free to Google.
it's in my head
I wrote this above and I"ll post it again, using an alternate browser does not always protect you from IE holes. I cannot comment on these new holes because I'm not sure how they work, but some previous IE holes left the computer vulnerable whether or not you actually used IE at all! An unfortunate consequence of the browser integration with the OS.
So the fact that I'm using Mozilla on Win 98 right now, doe not mean I'm guarenteed immunity from these new holes.
What I'm wondering is why the poster of this story didn't do a tad more research before posting. As of yesterday, an exploit for these security holes has been available.
Exploit code, anyone? A simple google search or a Bugtraq archive browse should do it.
... as shown several times when their updates causes 3rd software to break ...
It's even worse when done by design. Once a scoundrel - always a scoundrel.
These security problems were publically known in September.
What was released recently was sample exploit code.
If you are a Microsoft spokesman then, of course, you have to say that, "Hey, if we don't have a fix then it must mean we didn't know about it." So it's not even lying to say that you weren't told. It's the only logical thing.
The spokesman was not aware that Microsoft had released unmarked patches for some of the problems.
In the company where I work (a large bank, 40000 work places) the latest IE security patch caused grave problems with (client certificate authenticated) SSL connections. Many internal applications broke down at random after about 10 minutes. This is costing massive amounts of time and money.
If they are, then I can see why researchers aren't playing their silly game, especially if they discover several bugs. Further, Microsoft is giving up a small advantage they could have over open source. If they allowed non-public reporting of security bugs, then they could have that information before the crackers get it, while open source bugs are generally reported to open developer lists.
I used to work in Microsoft technical support. From my experience, MS does everything to avoid receiving bug reports from end users, their system is designed in such a way that bug reports are automatically dropped, unless the originate from a pro support client (which pays millions of dollars for support). What this guy did is not only right, but also it is the only moral thing to do. Companies like MS should pay for their bad business practices.