[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Anyone see a game changer here?

Subject: Anyone see a game changer here?
From: williams.bruce at gmail.com (Bruce Williams)
Date: Thu, 21 Jan 2010 21:26:45 -0800
In-reply-to: <[email protected]>
References: <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]>

The problem with IE is the same problem as Windows, the basic design
is fundementally insecure and "timely updates" can't fix that.

Bruce

On Thu, Jan 21, 2010 at 9:19 PM, James Hess <mysidia at gmail.com> wrote:
> On Thu, Jan 21, 2010 at 9:52 PM, Gadi Evron <ge at linuxbox.org> wrote:
>> On 1/15/10 5:52 PM, Steven Bellovin wrote:
> ..> 2. Is Microsoft, while usually timely and responsible, completely
>> irresponsible in wanting to patch this only in February? While they patched
>> it sooner (which couldn't have been easy), their over-all policy is very
>> disturbing and in my opinion calls for IE to not be used anymore.
>
> It is not as if there are a wealth of alternatives. ? There are still
> many cases, ?where IE ?or MSHTML components are a pre-requisite, ?to
> access a certain product ?that is ?important to the user. ? ?A
> canonical example, ?would be:
>
> Intranet apps, web-managed ?routers, switches, firewalls, or other
> network infrastructure that can only be administered using MSIE
> version 6 (ActiveX control, or old HTML relying on IE features) --
> probably devices with old software.
> Mail readers such as Outlook with ?MSHTML components embedded.
>
> ..> 3. Why are people treating targeted attacks as a new threat model? Their
>> threat models are just old. This we discussed here.
>
> It's an old model that could have fallen into some measure of disuse.
> ? Targeted ?attacks ?are possibly riskier to launch than randomly
> dispersed ?attacks, ?and require an insider or more determined
> attacker ?who can effect social engineering in the right place; ? the
> result is they are rarer.
>
> Intuitively, ?hardly any user thinks ?they can personally be subject
> to a complex targetted attack penetrating multiple security layers and
> requiring obscure enterprise-specific info.... until it happens...
> because people assume complexity of the required attack, ?and
> 'security software' such as Antivirus lead to a high level of safety,
> without ever having a logical or statistically rigorous basis for
> arriving at the assumption.
>
> Perhaps there were so many non-targetted attacks, ?that the idea of
> "targetted attack" ?was ?drowned out of the security dialogue and
> forgotten by some.. ? or there was a mistaken belief ?that ?the
> targetted attacks automatically get stopped by the firewall ? and
> mod_security...
>
> --
> I believe 3 to 4 ?weeks ?is par for the course, ?with most ?major
> software manufacturers, even for a patch to a critical security
> issue...
>
>
> It is really impossible to make a reasonable assessment on
> Microsofts' response based on just one event ?(where in fact, they
> pulled through).
>
> I don't perceive that Microsoft have any solid history of being more timely ?or
> ?more responsible, than other vendors. ?In most cases, ?they have
> released patches soon after a serious advisory was made public, ?but
> the date the vulnerability was first discovered and reported to
> Microsoft, ?is not disclosed in the advisory or patch too often, that
> I saw. ? As I understand: a vulnerability ?might ?have first been
> reported to MS ?months or years before they released a patch ?or even
> acknowledged there was an issue, in some cases. ? ?Sometimes they even
> advise, but say there will be no patch ?(e.g. ?Windows XP and
> MS09-048 ).
>
>
> A ?"true" ?zero day ?like the recent one, ?where the exploit is in the
> wild and in use by blackhats ?prior to ?the vendor even being aware of
> ?a possible vulnerability, ?is a different animal, ?than routine
> security patches (even ones listed as critical or high-priority).
>
> Because (no doubt) ?it requires some strong measure of analysis first
> to determine what code is being exploited, ?in addition to the normal
> steps involved in fixing a hole.... ? e.g. ?determining ?what the
> actual possible bug(s) are, and how to fix, without ?probably
> introducing new ones, ? or ?missing some conditions.
>
>
> --
> -J
>
>



-- 

?Discovering...discovering...we will never cease discovering...
and the end of all our discovering will be
to return to the place where we began
and to know it for the first time.?
-T.S. Eliot

Follow-Ups:
- Anyone see a game changer here?
  - From: smb at cs.columbia.edu (Steven Bellovin)

References:
- Anyone see a game changer here?
  - From: williams.bruce at gmail.com (Bruce Williams)
- Anyone see a game changer here?
  - From: jlewis at lewis.org (Jon Lewis)
- Anyone see a game changer here?
  - From: jared at puck.nether.net (Jared Mauch)
- Anyone see a game changer here?
  - From: smb at cs.columbia.edu (Steven Bellovin)
- Anyone see a game changer here?
  - From: ge at linuxbox.org (Gadi Evron)
- Anyone see a game changer here?
  - From: mysidia at gmail.com (James Hess)

Prev by Date: Anyone see a game changer here?
Next by Date: Network Bandwidth Reporting Tool
Previous by thread: Anyone see a game changer here?
Next by thread: Anyone see a game changer here?
Index(es):
- Date
- Thread