Full Disclosure mailing list archives
RE: Microsoft and Security
From: "Mark Laurence" <m.laurence () groveindependentschool co uk>
Date: Tue, 29 Jun 2004 10:34:55 +0100
On the subject of IE bugs, I am running SP2 RC2, IE6.0.2900.2149 today I opened a window http://www.asus.com/products/server/srv-mb/ncch-dl/overview.htm In another IE window I had www.ingrammicro.com/uk open Whe I click on the picture of the motherboard in the first page to enlarge it, it changes the ingrammicro page to have the picture of the motherboard in it but still displays the ingrammicro page title in the browser bar, and the top "frame" of the ingrammicro page.... Weird one, I don’t know if it is restricted to this build of IE though HTH Mark
-----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Steve Kudlak Sent: 29 June 2004 08:05 To: Nancy Kramer Cc: Burnes, James; 1 () malware com; bugtraq () securityfocus com; NTBugtraq () listserv ntbugtraq com; full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Microsoft and Security To a certain extent you are right. I dunno if this is the place to discuss all these very general issuesd, although many pf the reasons that IE has so many problems may come from the very fact that there is some minority of sites that are very IE only.and that large enterprises sometimes declares "thou shalt use Outlook". Well some small places too. I notice many public libraries have IE as their internal browser. This is interesting because my local library goes to extraordinary lengths to prevent people doing nasty things to their computer. For example one can not bring in floppy disk, or CDs and the public browser is pretty limited. But it still lets you surf anywhere you wanted. Now if there were a mailcious site that could work ill WITHOUT DOWNLOADING that would be really bad news for the limited public access that many people have. What would be nice is some HTML code to test things like browser vulnerabilities, especially those often reported. They could be put up in some well marked demo site with flags about be careful with this, so someone who is interested could test browsers and resolve these "which browsers are safer" questions and also allow people to put pressure on various browser development teams to make browsers safer for the benefit of everyone. Have Fun, Sends Steve Nancy Kramer wrote:There are lots of sites written only for IE or clones of IE like Opera. Some large sites are written only for late model IEs. Many are from large companies. Big business thinks MS is thestate of theart and the only way to go for business. You have a choice do it their way or don't get the benefits of their web site.They play tothe user who has AOL, uses only IE and Outlook with all thedefaultson because if MS does it it must be right and they really have no interest in changing things or knowing about them. People believe they are protected by big companies like MS. They arefools but thenlike a friend of mine always says "business people are stupid". They believe that the US government should protect themfrom hackersand spam. That cannot be done but they don't understand that and neither do the US legislators. Regards, Nancy Kramer Webmaster http://www.americandreamcars.com Free ColorPicture Ads forCollector Cars One of the Ten Best Places To Buy or Sell aCollectorCar on the Web At 05:23 PM 6/28/2004, Burnes, James wrote:Well, this is an predictable, but interesting quote fromIDefense...[IDefense linked the malicious attacks to a group by adifferent namecalled the hangUP team, also from Russia and also believed to be responsible for the recent string of Korgo worms, Dunham said. "These are hackers for hire and they commoditize every piece of information they capture. This was a very complicated and sophisticated attack," he said. Security experts were still trying to determine Friday how IIS servers were compromised and whether applying the latestpatches forIIS and Internet Explorer would protect users from the attacks. "My gut feeling is (patching) doesn't protect you," Dunhamsaid. "IfI were a home user, I'd consider using another Web browser, like Mozilla, until a patch comes out," he said.] (nwfusion -06/25/2004)Well, of course. By why go back to IE unless someonewrote apps thatonly run on IE and what's the point of that. Might as well write them in VB. jim burnes security engineer great-west, denver-----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure- admin () lists netsys com] On Behalf Of http-equiv () excite com Sent: Friday, June 25, 2004 9:41 AM To: bugtraq () securityfocus com Cc: NTBugtraq () listserv ntbugtraq com; full-disclosure () lists netsys com Subject: [Full-disclosure] Microsoft and Security Where is Microsoft now "protecting their customers" asthey love tobray? Should not someone in authority of this publiccompany stepforward and explain themselves at this time? All of sudden panic is being created across the WWW with "IIS Exploit Infecting Web Site Visitors With Malware", "Mysterious Attack Hits Web Servers", "Researchers warn of infectious Web sites" all stemming from all news accounts from an unpatched "problem" with Internet Explorer now two weeks old and counting, which in fact in reality stems from 10 months ago, thatbeing theadodb.stream safe for scripting control with write capabilities. What exactly is being done about this? Nothing. Whatdoes multiplebillions of dollars buy you today. Nothing. However for$20 millionyou can almost fly to the moon. Someone ought to step forward and explaini what exactly is happening at this public company. The great "protector of their customers". One might even suggest that their entire "security" mandate be re-examined. What exactly do they consider a vulnerability? Something that suits them or somethingthat's costeffective to fix. So what, a few people lose theiridentities, havea few dollars extracted from their bank accounts, havetheir homepages reset, we'll fix it when it suits us as we have to be on budget this quarter. The Big Boss says $40 billion isn't enough this year. A vulnerability: http://www.microsoft.com/technet/archive/community/columns/securi ty/essays/vulnrbl.mspx "A security vulnerability is a flaw in a product that makes it infeasible - even when using the product properly-to prevent an attacker from usurping privileges on the user's system,regulatingits operation, compromising data on it, or assuming ungranted trust." what this gibberish? For the past 10 months theadobd.stream objectis capable of writing files to the "all important customer's" computer. It has real world consequences. It rapes theircomputer.Does it fit into the gibberish custom definition. Plainand simple:"A security vulnerability is a flaw in a product that makes it infeasible". What kind of language is this. Reads like the financial department conjured it up. Disabling scripting won't solve it. Putting sites in one of the myriad of "zones' won't solve it. Internet Explorer cantriviallybe fooled into operating in the less than secure so- called "intranet zone" and it can be guided there remotely. What's happening here. Where is the Microsoft representative explaining all of this to the shareholders and"customers" they sodearly wish to protect. This is unacceptable. Someone must be held accountable. -- http://www.malware.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.656 / Virus Database: 421 - Release Date: 09/04/2004
--- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.656 / Virus Database: 421 - Release Date: 09/04/2004 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Microsoft and Security, (continued)
- RE: Microsoft and Security http-equiv () excite com (Jun 25)
- Re: Microsoft and Security Georgi Guninski (Jun 26)
- RE: Microsoft and Security Drew Copley (Jun 25)
- Microsoft and Security http-equiv () excite com (Jun 25)
- RE: Microsoft and Security Burnes, James (Jun 28)
- Message not available
- RE: Microsoft and Security Nancy Kramer (Jun 28)
- Re: Microsoft and Security William Warren (Jun 28)
- Re: Microsoft and Security Ron DuFresne (Jun 29)
- Re: Microsoft and Security William Warren (Jun 29)
- Message not available
- Re: Microsoft and Security Steve Kudlak (Jun 29)
- RE: Microsoft and Security Mark Laurence (Jun 29)
- RE: Microsoft and Security Ron DuFresne (Jun 29)