Bugtraq mailing list archives
Re: Microsoft technologies. By default, non-HIPAA compliant?
From: Nicholas Weaver <nweaver () CS berkeley edu>
Date: Thu, 1 Jul 2004 09:46:50 -0700
On Wed, Jun 30, 2004 at 01:43:11PM -0400, Jeremy Epstein composed:
A slightly less draconian configuration might have a filtering router that only allows users to visit particular sites; in that case also, the IE problems would be of no concern (since the redirect to the Russian and Estonian sites could be prevented).
This would not be the case, as the trojaned sites could easily present the malware directly, rather than contacting a third party site. That it didn't is simply a sign that the attacker was less clever and creative than he could have been. Thus all sites which can be contacted need to be "trusted".
The latest set of attacks demonstrate some pretty bad problems, and Microsoft deserves a lot of criticism. But let's not go overboard.
A better criticism is that, yeah, QA is important, but this is a known critical exploit for over a WEEK now and there is no patch in sight. That the crisis hasn't bloomed further with the simple hack: Make the malcode modify any .html it can find, and include itself on that site for download, combined with the continual attacks on IIS sites, banner servers, etc... is a mystery to me. -- Nicholas C. Weaver nweaver () cs berkeley edu
Current thread:
- RE: Microsoft technologies. By default, non-HIPAA compliant? Boring, Andrew (Jul 01)
- <Possible follow-ups>
- Re: Microsoft technologies. By default, non-HIPAA compliant? Dave Paris (Jul 01)
- RE: Microsoft technologies. By default, non-HIPAA compliant? bob () dexis net (Jul 02)
- Re: Microsoft technologies. By default, non-HIPAA compliant? Nicholas Weaver (Jul 02)
- Re: Microsoft technologies. By default, non-HIPAA compliant? Nick FitzGerald (Jul 02)
- RE: Microsoft technologies. By default, non-HIPAA compliant? Anything But Microsoft (Jul 06)
- RE: Microsoft technologies. By default, non-HIPAA compliant? Tina Bird (Jul 06)