Re: MS02-065 vulnerability

["HggdH" <hggdh () attbi com>]

Paul ("Paul Szabo" <psz () maths usyd edu au>) replied:
(...)
|
| The work-arounds suggested by Microsoft probably work. They might even
| "come clean" and suggest to disable ActiveX, or even go as far as to ask
| users to "get off" IE (and use Netscape or Mozilla or whatever), or to
| upgrade to Linux.
|
| The fact remains that installing the patch does not protect the (IE) user.

Indeed. I am sorry I did not realise your point on the first post. It
minimises, at most, the exposure... until the sucker, uh, user, hits a
malicious web site.

(...)

| > The real interesting part, for me, is that the trust on the trusting
| > mechanism has been shattered. Finally.
|
| Agreed.


Which put us back on the Microsoft implementation: the most I can "trust",
from a signed piece of code, is that it was correctly signed. Microsoft
expanded this to "I can not only trust it was correctly signed, but I am
also going to allow *any* code from this publisher to be automatically
installed on my system". In other words, "if the signature is good, then the
contents are also good".

This seems to me not only a jump in logic, but a straight dive into the
faith pool. We do not just trust a publisher anymore, but we believe in it.
And it amazes me nobody else is commenting on it. I have not seen anything
on the other major security lists up to now.

As said earlier, Microsoft should put out a special Security Bulletin
implementing the removal of automatic trust from itself. And I see this
bulletin being as important as any other critical fix. I hope Microsoft
realises the fallacy it has put itself in, and corrects it.

Ah well.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html