Full Disclosure mailing list archives
RE: IE is just as safe as FireFox
From: Colin.Scott () csplc com
Date: Mon, 15 Nov 2004 08:42:09 +0000
Yes perhaps I'm being a little close minded. I know that WFP can be switched off and all that, but this is real life. We don't have the luxury of 1 single domain controlling all our clients, we are talking multiple NT/2000/2003 domains, multiple OS's, multiple Admins. I am complaining (more the point I am trying to make as others are on the list) directly about the situation we are in with the patching of Windows products. We feel like we are held to ransom by MS's security team while they drink their coffee testing new patches on Dells with no doubt MS-only apps installed. Meanwhile we have to go out and spend hundreds of thousands of pounds on products that we shouldn't have to purchase. Or engineer tricky methods to make changes to the whole estate just so we can feel a little happier running windows (will we ever feel happy?). We use SUS and currently its switched off. Why? Because one of MS's helpful little patches has been eating machines, or more accurately WFP has been helpfully putting DLLs back to the old version without warning, result non-booting machine. An open call with MS PSS has given us no fix (c'mon pull the finger out guys) So currently we are damned if we do patch and damned if we don't. Maybe you'll understand why I'm a little tetchy on the subject now (as I'm sure others are too), and why I responded to Rafel's comments so aggressively. His comments weren't helpfull, anyone can put forward a suggestion that costs way over 200k GBP. Back on topic though, IE is no where near Firefox for security, however, does Firefox come with a roll out method? Does it work for our critical apps? Can the Firefox settings be controlled centrally? I'm sure I could spend weeks figuring out methods to get Firefox to do these things, maybe by that time MS will have patched IE (im not holding my breath). The MS guy that said the origonal comment should have known when he said it he was dropping a clanger. Cheers, Colin. "Michael Evanchik" <mevanchik@relati To onship1.com> <Colin.Scott () csplc com>, Sent by: <full-disclosure () lists netsys com> full-disclosure-a cc dmin@lists.netsys .com Subject RE: [Full-Disclosure] IE is just as safe as FireFox 12/11/2004 16:15 I disagree Colin, A good administrator knows there is more then one way to skin a cat. Rafel, I belive was just briefly stating some solutions to the problem. I can tell you windows protection can be defeated with a few registry changes. Combine that with an active directory login script and I believe that is one way to solve the issue. It is wrong to complain and give up if you administrator. Talk to you developer, im sure he will have a solution =) Mike www.michaelevanchik.com -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Colin.Scott () csplc com Sent: Friday, November 12, 2004 9:46 AM To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] IE is just as safe as FireFox More infinate wisdom there Rafel. Price per license for "Finjan's Vital Security for Web" = 9.50GBP per user + 20% support per annum, roughly equates to 160,000GBP (plus any hardware, software and network requirements) to cover us with your no doubt class-leading product. I'm sure that the Directors will love to cough up another 160 grand when we are already paying MS for Premier support. Use SUS to install XP SP2 to 14,000 Windows 2000 machines? Somehow I think that will be problematic. Replace the SHDOCVW.DLL with the XP SP2 version? On Windows 2000 machines? And what about the practical problems getting round Windows File Protection? On 14,000 machines? Do you want to come in here and try what you suggest? I think Rafel you need a lesson in being a Windows Administrator before posting your very helpfull posts to this list. So thanks but no thanks. Colin. "Rafel Ivgi, The-Insider" <theinsider@012.n To et.il> <full-disclosure () lists netsys com>, <Colin.Scott () csplc com> 12/11/2004 14:08 cc Subject Re: [Full-Disclosure] IE is just as safe as FireFox If you do have 14000 machines why don't you buy "Finjan's Vital Security For Web"? It will filter all malicious I.E exploits for all its surfers(its a proxy, quite fast...) Or just use SUS(system update server (microsoft)) just like any other administrator... to install sp2 or to just replace the c:\windows\system32\shdocvw.dll with the patched one or with sp2 one... Rafel Ivgi, The-Insider Security Consultant Malicious Code Research Center (MCRC) Finjan Software LTD E-mail: rivgi () Finjan com --------------------------------- Prevention is the best cure! ----- Original Message ----- From: <Colin.Scott () csplc com> To: <full-disclosure () lists netsys com> Sent: Friday, November 12, 2004 12:46 PM Subject: Re: [Full-disclosure] IE is just as safe as FireFox Oh yeah, I've got 14,000 Windows 2000 machines to update to windows XP SP2, hang on wheres that CD? So thanks for your infinate wisdom there Rafel. Colin. "Rafel Ivgi, The-Insider" <theinsider@012.n To et.il> <full-disclosure () lists netsys com> Sent by: cc full-disclosure-a dmin@lists.netsys Subject .com Re: [Full-Disclosure] IE is just as safe as FireFox 12/11/2004 06:44 That is incorrect, there is a fix --> SP2. Users should use the latest updated system, meaning if there is an SP2, they should install it. Rafel Ivgi, The-Insider Security Consultant Malicious Code Research Center (MCRC) Finjan Software LTD E-mail: rivgi () Finjan com --------------------------------- Prevention is the best cure! ----- Original Message ----- From: "Martin Mkrtchian" <dotsecure () gmail com> To: "Todd Towles" <toddtowles () brookshires com> Cc: "Mailing List - Full-Disclosure" <full-disclosure () lists netsys com>; <ring-of-fire () yahoogroups com> Sent: Friday, November 12, 2004 3:03 AM Subject: Re: [Full-disclosure] IE is just as safe as FireFox
They should've at least released that statement after they fixed the IE FRAME vulnerability. 0 day exploit is in the wild and no fix for it, yet they claim its secure enough. If the programmers are as smart as the company press releasers, I can see why I.E. still sux. Martin On Thu, 11 Nov 2004 15:59:20 -0600, Todd Towles <toddtowles () brookshires com> wrote:Microsoft's security and mangement product manager (Ben English)
says...
At a security roundtable discussion in Sydney on Thursday, Ben English, Microsoft's security and management product manager, told attendees
that
IE undergoes "rigorous code reviews" and is no less secure than any other browser. "Because IE is ubiquitous, you hear a lot more about it, but I don't think that Internet Explorer is any less secure than any other browser out there," English said. http://news.com.com/Microsoft+says+Firefox+not+a+threat+to+IE/2100-1032_ 3-5448719.html?part=dht&tag=ntop&tag=nl.e433 Can anyone say IFRAME? Lol -Todd _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
**************************************************************************** ********** This e-mail is confidential and may contain privileged information. If you are not the addressee or if you have received the e-mail in error, it may be unlawful for you to read, copy, distribute, disclose or otherwise use the information which it contains. Under these circumstances, please notify us immediately by returning this mail to 'mailerror () csplc com' and deleting this e-mail from your system. Any views expressed by an individual within this e-mail do not necessarily reflect the views of Cadbury Schweppes Plc or its subsidiaries. Cadbury Schweppes Plc will not be bound by any agreement entered into as a result of this email, unless its intention is clearly evidenced in the body of the email. Whilst we have taken reasonable steps to ensure that this e-mail and attachments are free from viruses, recipients are advised to subject this mail to their own virus checking, in keeping with good computing practice. Please note that email received by Cadbury Schweppes Plc or its subsidiaries may be monitored in accordance with the prevailing law in the United Kingdom. **************************************************************************** ********** _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: [in] Re: IE is just as safe as FireFox, (continued)
- Re: [in] Re: IE is just as safe as FireFox Shoshannah Forbes (Nov 21)
- RE: [in] Re: IE is just as safe as FireFox joe (Nov 21)
- Re: [in] Re: IE is just as safe as FireFox Stefan Schatzl (Nov 22)
- Re: [in] Re: IE is just as safe as FireFox devis (Nov 22)
- Re: IE is just as safe as FireFox Colin . Scott (Nov 12)
- Re: IE is just as safe as FireFox Rafel Ivgi, The-Insider (Nov 12)
- Re: IE is just as safe as FireFox Colin . Scott (Nov 12)
- RE: IE is just as safe as FireFox Michael Evanchik (Nov 12)
- RE: IE is just as safe as FireFox Colin . Scott (Nov 15)
- Re: IE is just as safe as FireFox Raoul Nakhmanson-Kulish (Nov 15)