Interesting People mailing list archives

IP: Re: IE5 Security Hole Makes Users' PCs Vulnerable

From: David Farber <farber () cis upenn edu>
Date: Thu, 2 Sep 1999 13:09:49 -0400

X-Sender: >X-Sender: brett@localhost
Date: Thu, 02 Sep 1999 10:48:04 -0600
To: farber () cis upenn edu, ip-sub-1 () admin listbox com
From: Brett Glass <brett () lariat org>
Subject: IP: Re: IE5 Security Hole Makes Users' PCs Vulnerable

Rhys Weekley" <rhyso () mail com> writes:

The ZDNet article says Microsoft has done nothing about this, but

they have released a patch already. See 
http://www.microsoft.com/security/bulletins/ms99-032.asp.

Microsoft's security bulletin regarding the patch states that it was
"Originally" posted on August 31, 1999 -- ten days after Guninski posted
information about the hole to public mailing lists. (The bulletin, mailed
at noon on that day, does not appear to have been linked into Microsoft's
security Web site -- where most users look for such announcements -- until
September 1.)

Thus, Microsoft took more than a week and a half after the announcement
of the hole to respond, and longer still to post the bulletin to its Web
site. The article which was published on the ZDNet Help Channel
(http://www.zdnet.com/zdhelp/stories/main/0,5594,2322425,00.html)
and also on ZDNN was correct in saying that, at the time it was written,
Microsoft had not provided a patch or even publicly acknowledged the problem.

The article may have spurred Microsoft to release a patch more quickly than
it would have otherwise. Alas, users of IE5, Outlook, Outlook Express, Eudora
Lite, Eudora Pro,TurboTax, Quicken, Microsoft Office, and other programs were
vulnerable in the interim unless they took the steps mentioned in 
that article.
Even now, the fast majority of IE5 users are still vulnerable, and 
will continue
to be so unless they follow those steps and/or install Microsoft's
patch. (The instructions in the article, which shut down ActiveX and Active
Scripting altogether, may be safer than applying Microsoft's patch, 
because there
are almost certainly other ActiveX controls with potential exploits.)

Microsoft does not go out of its way to publicize security problems 
widely to end
users, and the major news outlets often do not consider the CLOSING 
of a hole to be
worthy of a news story. Therefore, many users will be vulnerable indefinitely.

--Brett Glass

Current thread:

IP: Re: IE5 Security Hole Makes Users' PCs Vulnerable David Farber (Sep 02)
- <Possible follow-ups>
- IP: Re: IE5 Security Hole Makes Users' PCs Vulnerable David Farber (Sep 02)