Slashdot Mirror

← Back to Stories (view on slashdot.org)

New IE Holes Discovered

Posted by CowboyNeal on from the yes-even-more dept.

joelt49 writes "Yahoo! News is reporting that 7 new security holes for Internet Explorer have been discovered by a Chinese researcher; however, there apparantly aren't any attacks on IE yet." The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list. Sure, a lot of people don't like Microsoft, but that's no reason to make it worse for the millions of people who are forced to use Microsoft products, especially for security holes which have yet to be exploited.

15 of 801 comments (clear)

  1. Incident response times by Tet · · Score: 5, Insightful
    The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.

    Yep, not ideal. But it'll be interesting to see whether MS's claims of having a faster response time to security incidents that the Linux community stands up. Will they have a patch available withing the next day or so? You can guarantee that the Mozilla or Konqueror communities would have in the same circumstances...

    --
    "The invisible and the non-existent look very much alike." -- Delos B. McKown
    1. Re:Incident response times by Chexsum · · Score: 5, Insightful

      Itd be really strange if Mozilla broke my Window Manager or something. What exactly would they need to test it with?

      I can understand Internet Explorer needing to be tested against the rest of Windows and its APIs but Mozilla is a stand-alone web browser - as long as the API isnt affected it ['full regression testing'] shouldnt matter too much IMO.

      --
      Pixels keep you awake!
    2. Re:Incident response times by Avihson · · Score: 5, Insightful

      Microsoft has been using the paying community as QA since at least MS-DOS 4.0 Have you been living in a cave all these years?

      The whole premise behind FSF is that it is FREE, the user accepts some responsibility in the transaction, in this case by reporting bugs and helping to test beta versions before the code is released live. You seem to be saying that Microsoft has never released code that was not finished, 100% Quality Assured, no Security holes.....

      If you believe so strongly in your statements, why do you post AC?
      So I say Mod the Grandparent DOWN, MS whiners be damned!

    3. Re:Incident response times by Error27 · · Score: 5, Insightful

      Please list one problem someone has had because of a Mozilla security fix.

    4. Re:Incident response times by arkanes · · Score: 5, Insightful

      Doesn't matter - MS claims a 24 hour response time. Lets see it happen.

  2. it wouldn't change anything by __aaitqo8496 · · Score: 5, Insightful

    I don't blame this guy for not going to Microsoft first. Given thier track record, more than likely, they would have ignored him until someone publicly announced the problems.

    P.S. Is it news anymore that IE has holes?

    1. Re:it wouldn't change anything by muffen · · Score: 5, Insightful

      Given thier track record, more than likely, they would have ignored him until someone publicly announced the problems.

      You may be right, but it still doesn't change anything. I think this guy should have told Microsoft first, waited, if they don't respond within 48 hours, report it.
      If you get a standard stupid automated copy/paste reply, report the holes.... but you SHOULD give the company some notice. As stated in the article, not giving the company any info just makes it bad for anyone having to use IE.

      Is it news anymore that IE has holes?

      Nope. Seriously, who here gives a crap about IE holes? Everyone here probably knows that using IE is about as secure as getting water in a fishingnet.

    2. Re:it wouldn't change anything by AtomicBomb · · Score: 5, Insightful

      It is pretty pathetic to deal with some big software company like Microsoft when reporting bugs... There is no simple way. A friend of mine did some scripting and discovered an obscured w2k bug (no big deal just causing yet another blue screen) by pure chance. He did some detective work and nailed down to the exact condition that triggers the problem. Since we are not doing security or serious low level programming, we don't have links with any relevant person in MS. When contacting the local MS office (we are in a small country, btw), the guy on the other end of the phone had no clue and put us thru technical support. Read: demanding $$$.

      At the end, we did not bother. After a few more months, it was made public (not by my friend though). Nowadays, reporting MS bug becomes a dangerous maneouver... If MS is really serious about security and good quality software, they would put a contact on the front page and offer reward for anyone who spots a new major bug. Before then, I don't see why we need to be nice to MS.... They say they are capitalist. We should respect their value and don't do any free work for them...

  3. It's hardly bad... by shfted! · · Score: 5, Insightful

    Sure, a lot of people don't like Microsoft, but that's no reason to make it worse for the millions of people who are forced to use Microsoft products, especially for security holes which have yet to be exploited.

    If OSS people can fix the bugs in less than half a day, it should be a piece of cake for a giant software company with lots of programmers to do the same. Sure, a days warning would have been nice, but if there isn't a fix by tonight, it only shows badly on Microsoft.

    --
    He who laughs last is stuck in a time dilation bubble.
  4. blablabla by Anonymous Coward · · Score: 5, Insightful

    The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.

    Believe me, in these days that is the only way to report bugs AND making sure they'll get fixed.

    Dream world scenario:

    1) Report bug to company
    2) Company will announce the bug to the public
    3) Company will fix the bug as soon as possible

    Real World scenario 1:

    1) Report bug to company
    2) They don't report it to the public and they don't fix it
    3) You report it to the public
    4) Company sues you for IP violation or any other shit they can pull out of their asses

    Real World scenario 2:

    1) Report it to the public (anonymously).
    2) Company will fix it

  5. Immediate full disclosure is best security practic by Anonymous Coward · · Score: 5, Insightful

    Seriously - AS SOON AS THERE IS A VULNERABILITY, I, as a sysadmin, want to know about it. I don't give a flying fuck about Microsoft's reputation, or whether "vendors need time to patch the hole" - while there is a known hole, I DON'T WANT MY FUCKING SYSTEM ONLINE. If a nice guy can discover it, the bad guys probably already have.

    The "give us time to fix the hole/do a P.R. coverup" fiasco is WHY I DON'T USE MICROSOFT SOFTWARE ANYMORE.

  6. Public mailing list? by Amiga+Lover · · Score: 5, Insightful

    The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.

    Thats because Microsoft's past record is to ignore people who have contacted them privately regarding security issues, or take legal action against them.

    If you really wanted something fixed by MS, and the last 15 times you'd contacted them they'd ignored you, but you've seen someone else release information into the wild and get MS's attention re: a fix within hours... WWYD?

  7. Sometimes it's all about timing by harmonics · · Score: 5, Insightful

    While my firm is a strong supporter of full disclosure, this is rather over the top.

    What makes it worse is the timing, over a holiday weekend (States side), where most systems staff will be unable to apply patches or mitigate risks.

    Now this is an Internet Explorer exploit, hence, few people using IE at work over the weekend. It still provides 48 hours for a few unsavory individuals to develop exploits for Monday morning.

    We need to exercise better judgement when dealing with vendors and security issues, this isn't the first time things like this have happened, and won't be the last.

    Perhaps we should consider spending more effort creating a Security Researchers Organization as has been discussed on BugTraq .

    Until we have a strong unified organization I believe we will continue to see unresponsive vendors and poorly timed vulnerability releases.

  8. Re:Forced? by MKalus · · Score: 5, Insightful

    I bet you most people in Big Corporations are forced to use windows (not that they know any different).

    I know I am forced to use windows at work, even though either a Mac or any Unix Desktop would do.

    I ditch IE whenever I can, but for example our HR Website and anything else RELIES on Windows, no way around it.

    --
    If you want to e-mail me, use my PGP Key.
  9. Re:No Exploit, eh? by djdavetrouble · · Score: 5, Insightful

    Truly. Also, if there is exploit code, someone is using it, just maybe not as part of a trojan or virus yet. Patch or no patch, you can bet that there will be an exploit being used in the wild within a matter of hours or a day at the maximum. The latest trojan/worm/virii are programs that deliver huge amounts of machines to spammers and hackers to become part of their DOS botnets or spamnets, with built in backdoors, etc. Were you on irc the day that the mirc xdcc flaw was discovered? I received no less than 30 malformed xdcc requests that day. Discovery of a new flaw is like free candy to script kidz. Twice the 0wned machines, half the hacking.

    --
    music lover since 1969