Anyone see a game changer here?

Fri Jan 22 05:26:45 UTC 2010

The problem with IE is the same problem as Windows, the basic design
is fundementally insecure and "timely updates" can't fix that.

Bruce

On Thu, Jan 21, 2010 at 9:19 PM, James Hess <mysidia at gmail.com> wrote:
> On Thu, Jan 21, 2010 at 9:52 PM, Gadi Evron <ge at linuxbox.org> wrote:
>> On 1/15/10 5:52 PM, Steven Bellovin wrote:
> ..> 2. Is Microsoft, while usually timely and responsible, completely
>> irresponsible in wanting to patch this only in February? While they patched
>> it sooner (which couldn't have been easy), their over-all policy is very
>> disturbing and in my opinion calls for IE to not be used anymore.
>
> It is not as if there are a wealth of alternatives.   There are still
> many cases,  where IE  or MSHTML components are a pre-requisite,  to
> access a certain product  that is  important to the user.    A
> canonical example,  would be:
>
> Intranet apps, web-managed  routers, switches, firewalls, or other
> network infrastructure that can only be administered using MSIE
> version 6 (ActiveX control, or old HTML relying on IE features) --
> probably devices with old software.
> Mail readers such as Outlook with  MSHTML components embedded.
>
> ..> 3. Why are people treating targeted attacks as a new threat model? Their
>> threat models are just old. This we discussed here.
>
> It's an old model that could have fallen into some measure of disuse.
>   Targeted  attacks  are possibly riskier to launch than randomly
> dispersed  attacks,  and require an insider or more determined
> attacker  who can effect social engineering in the right place;   the
> result is they are rarer.
>
> Intuitively,  hardly any user thinks  they can personally be subject
> to a complex targetted attack penetrating multiple security layers and
> requiring obscure enterprise-specific info.... until it happens...
> because people assume complexity of the required attack,  and
> 'security software' such as Antivirus lead to a high level of safety,
> without ever having a logical or statistically rigorous basis for
> arriving at the assumption.
>
> Perhaps there were so many non-targetted attacks,  that the idea of
> "targetted attack"  was  drowned out of the security dialogue and
> forgotten by some..   or there was a mistaken belief  that  the
> targetted attacks automatically get stopped by the firewall   and
> mod_security...
>
> --
> I believe 3 to 4  weeks  is par for the course,  with most  major
> software manufacturers, even for a patch to a critical security
> issue...
>
>
> It is really impossible to make a reasonable assessment on
> Microsofts' response based on just one event  (where in fact, they
> pulled through).
>
> I don't perceive that Microsoft have any solid history of being more timely  or
>  more responsible, than other vendors.  In most cases,  they have
> released patches soon after a serious advisory was made public,  but
> the date the vulnerability was first discovered and reported to
> Microsoft,  is not disclosed in the advisory or patch too often, that
> I saw.   As I understand: a vulnerability  might  have first been
> reported to MS  months or years before they released a patch  or even
> acknowledged there was an issue, in some cases.    Sometimes they even
> advise, but say there will be no patch  (e.g.  Windows XP and
> MS09-048 ).
>
>
> A  "true"  zero day  like the recent one,  where the exploit is in the
> wild and in use by blackhats  prior to  the vendor even being aware of
>  a possible vulnerability,  is a different animal,  than routine
> security patches (even ones listed as critical or high-priority).
>
> Because (no doubt)  it requires some strong measure of analysis first
> to determine what code is being exploited,  in addition to the normal
> steps involved in fixing a hole....   e.g.  determining  what the
> actual possible bug(s) are, and how to fix, without  probably
> introducing new ones,   or  missing some conditions.
>
>
> --
> -J
>
>

-- 

“Discovering...discovering...we will never cease discovering...
and the end of all our discovering will be
to return to the place where we began
and to know it for the first time.”
-T.S. Eliot