| ActiveMac | Anonymous | Create a User | Reviews | News | Forums | Advertise |
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
ActiveMac |
|
Articles |
|
Forums |
|
Links |
|
News |
|
News Search |
|
Reviews |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
DVD |
|
ActiveHardware |
|
Xbox |
|
MaINTosh |
|
News Search |
|
|
|
|
|
|
|
ANet Chats |
|
The Lobby |
|
Special Events Room |
|
Developer's Lounge |
|
XBox Chat |
|
|
|
|
|
|
|
FAQ's |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows "Whistler" XP |
|
Windows CE |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
TopTechTips |
|
Registry Tips |
|
Windows 95/98 |
|
Windows 2000 |
|
Internet Explorer 4 |
|
Internet Explorer 5 |
|
Windows NT Tips |
|
Program Tips |
|
Easter Eggs |
|
Hardware |
|
DVD |
|
|
|
|
|
|
|
Latest Reviews |
|
Applications |
|
Microsoft Windows XP Professional |
|
Norton SystemWorks 2002 |
|
|
|
Hardware |
|
Intel Personal Audio Player 3000 |
|
Microsoft Wireless IntelliMouse Explorer |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Affiliates |
|
ANet Forums |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
|
Links |
|
Member Pages |
|
Site Search |
|
Awards |
|
|
|
|
|
|
|
Credits |
 |
New Flaws in Internet Explorer, Outlook Reported | |
|
||
| Time: 05:45 EST/10:45 GMT | News Source: Yahoo News | Posted By: Alex Harris | ||
Two new security flaws have been reported for Microsoft's Internet Explorer browser and Outlook program and have been rated "high risk" by the private security firm that discovered them. The vulnerabilities were sent to Microsoft by eEye Digital Security, which also posted an advisory on the company's Web page. Microsoft has noted that it is looking into the vulnerabilities, but has not had any customer reports of attacks, according to news reports. A spokesperson for the company added that when an investigation is completed, Microsoft would take appropriate steps to protect users. | ||
|
Write Comment
Return to News |
Displaying 1 through 25 of 320 Last | Next |
The time now is
10:59:57 AM
ET.
Any comment problems? E-mail us |
| #1 By 21705 (142.213.176.140) at 4/5/2005 9:07:05 AM |
| Will they wait til IE7? |
| #2 By 8556 (12.217.161.186) at 4/5/2005 12:41:24 PM |
| Maybe it’s just me, but I fume when Microsoft makes public comments like “no one has reported an attack yet.” While probably an honest comment, it sounds defensive and comes across as dumb PR, implying that they normally don’t act until a serous attack is underway at a critical mass of customers. |
| #3 By 12071 (203.185.215.149) at 4/6/2005 12:00:23 AM |
|
#4 "implying that they normally don’t act until a serous attack is underway"
Which is true of not just Microsoft but any large corporation/large business. Unless it's going to affect their bottom line they don't care about it. #5 "if I heard that the exploit had been written and was even now infecting systems across the network" How do you know that this hasn't already happened? Because no-one reported it to Microsoft? That's hardly a logical conclusion that it hasn't happened. These two exploits have been known by Microsoft for 1 (http://www.eeye.com/html/research/upcoming/20050329.html) and 3 weeks 9http://www.eeye.com/html/research/upcoming/20050316.html) which means that eEye would have known about them even earlier so that they could then report their findings to Microsoft. Are you THAT certain that no-one other than eEye and Microsoft knows about these exploits? Are you THAT certain that no-one at eEye and/or Microsoft could have leaked this information out? And if so, where is this certainty coming from? Your trust that people would immediately report the issue to Microsoft? The interesting part of that story was the quote from Marc Maiffret: ""Part of it is the way they look into vulnerabilities, but another part of it is marketing, so they can say they've issued fewer security bulletins and so they're making things more secure," he added" Exactly... when Microsoft have a fix ready they will announce it a month before putting the fix on Windows Update and claim it only took a month for them to fix the issue! |
| #4 By 12071 (203.185.215.149) at 4/6/2005 6:21:11 AM |
|
#7 "I'll bet you $5 that you can't find anyone to prove those vulns have been exploited in the wild"
And what, aside from me being unable to find such a person, will that prove? Does it prove that there really isn't anyone out there that knows about this vulnerability? Do they only exist if I personally know them? Does a tree make a sound if it falls in the forest and there is nothing and no-one around to hear it? What kind of logic are you trying at here? "If they say they haven't heard of any in-the-wild exploits, I believe them" I never said they lied about this. I'm positive that they haven't hard of any - but them not hearing about them doesn't prove that they're not out there. You betting all of us $5 or $5million doesn't prove that either. And that goes for any exploit for any application or OS, which is why many people prefer full disclosure, so that in any case you are informed and if need be can take steps to protect yourself even if that might mean turning certain functions off. "Oh - and I'll bet you another $5 they don't pull the trick you mentioned in that last sentence. Are you willing to put your money where your mouth is?" You love that whole $5 bet thing don't you... I'd love to, the problem is that once the fix is out you will challange me with finding a quote from Microsoft saying that it only took them a month to fix it - how boring. Feel free to defend Microsoft all you like but there was a study released not that long ago where the patch times of Microsoft were compared to RedHat. That study (funded by ... come on guess!) showed that Microsoft release patches on average within 30 days of them being released. I personally find that a little hard to believe given that the length of time it took to fix these patches: 190 days - http://www.eeye.com/html/research/advisories/AD20050208.html 57 days - http://www.eeye.com/html/research/advisories/AD20050111.html 71 days - http://www.eeye.com/html/research/advisories/AD20041012A.html 208 days - http://www.eeye.com/html/research/advisories/AD20041012.html 216 days - http://www.eeye.com/html/research/advisories/AD20040413A.html 216 days - http://www.eeye.com/html/research/advisories/AD20040413B.html 188 days - http://www.eeye.com/html/research/advisories/AD20040413C.html 144 days - http://www.eeye.com/html/research/advisories/AD20040413D.html 64 days - http://www.eeye.com/html/research/advisories/AD20040413E.html 164 days - http://www.eeye.com/html/research/advisories/AD20040413F.html 200 days - http://www.eeye.com/html/research/advisories/AD20040210.html 138 days - http://www.eeye.com/html/research/advisories/AD20040210-2.html Note that I can't give you the times for all their other patches because Microsoft don't disclose that sort of information - and if they do, it's not easily found! And that's why I tend to agree with Marc's comments. |
| #5 By 12071 (203.185.215.149) at 4/6/2005 8:21:54 PM |
|
#9 "So, you won't put your money where your mouth is?"
It has absolutely nothing to do with being able or unable to put money where my mouth is, I'm more than happy to take up the second bet with you if you feel that it'll make you a better man. I already explained why I question your logic and you failed to answer those questions of mine - funny about that! Pointing out that just because someone didn't report an exploit to Microsoft in no way proves that such an exploit does not exist - hell, I even went out of my way to explain to you that the same logic applies to ANY exploit on ANY application on ANY operating system, but once again, as much as you try to claim otherwise, the inner Microsoft zealot in you couldn't hold it back any longer and saw everything I said as FUD. It's not FUD, it's the reasoning I use to back up full disclosure of any and all exploits - and I gave my reasons for why I believe that to be the best way forward, rather than hiding exploits from the public in order to create a facade of high security. "Instead of trying to hold me to that, you search for a way out of the bet," I'm not searching for a way out of a bet, I actually think it's fairly childish to come on any forum and start betting people $5 - what does it prove after all. Following that line of thinking, and based on other Microsoft zealot comments int he past I could see that the natural progression, should you have lost the bet, would have been as I mentioned in my previous post. "I can't respond to your allegations about {some study} because I'm not sure which one you mean" I'll find you the study - perhaps MSN Search wasn't working for you - try Google! http://www.linuxworld.com.au/index.php/id;554502920;fp;2;fpid;1 Microsoft takes on average 25 days to patch a bug! They must have patched a LOT of bugs very quickly to bring the average down that much! "I wish they had done this in 1998, or 1992, or ... " 1994? Since all the examples were from last year? Perhaps they only started this storng security lifecycle this year. |
|
Write Comment
Return to News |
Displaying 1 through 25 of 320 Last | Next |
The time now is
10:59:57 AM
ET.
Any comment problems? E-mail us |
