Anyone see a game changer here?

James Hess mysidia at
Fri Jan 22 05:19:38 UTC 2010

On Thu, Jan 21, 2010 at 9:52 PM, Gadi Evron <ge at> wrote:
> On 1/15/10 5:52 PM, Steven Bellovin wrote:
..> 2. Is Microsoft, while usually timely and responsible, completely
> irresponsible in wanting to patch this only in February? While they patched
> it sooner (which couldn't have been easy), their over-all policy is very
> disturbing and in my opinion calls for IE to not be used anymore.

It is not as if there are a wealth of alternatives.   There are still
many cases,  where IE  or MSHTML components are a pre-requisite,  to
access a certain product  that is  important to the user.    A
canonical example,  would be:

Intranet apps, web-managed  routers, switches, firewalls, or other
network infrastructure that can only be administered using MSIE
version 6 (ActiveX control, or old HTML relying on IE features) --
probably devices with old software.
Mail readers such as Outlook with  MSHTML components embedded.

..> 3. Why are people treating targeted attacks as a new threat model? Their
> threat models are just old. This we discussed here.

It's an old model that could have fallen into some measure of disuse.
   Targeted  attacks  are possibly riskier to launch than randomly
dispersed  attacks,  and require an insider or more determined
attacker  who can effect social engineering in the right place;   the
result is they are rarer.

Intuitively,  hardly any user thinks  they can personally be subject
to a complex targetted attack penetrating multiple security layers and
requiring obscure enterprise-specific info.... until it happens...
because people assume complexity of the required attack,  and
'security software' such as Antivirus lead to a high level of safety,
without ever having a logical or statistically rigorous basis for
arriving at the assumption.

Perhaps there were so many non-targetted attacks,  that the idea of
"targetted attack"  was  drowned out of the security dialogue and
forgotten by some..   or there was a mistaken belief  that  the
targetted attacks automatically get stopped by the firewall   and

I believe 3 to 4  weeks  is par for the course,  with most  major
software manufacturers, even for a patch to a critical security

It is really impossible to make a reasonable assessment on
Microsofts' response based on just one event  (where in fact, they
pulled through).

I don't perceive that Microsoft have any solid history of being more timely  or
 more responsible, than other vendors.  In most cases,  they have
released patches soon after a serious advisory was made public,  but
the date the vulnerability was first discovered and reported to
Microsoft,  is not disclosed in the advisory or patch too often, that
I saw.   As I understand: a vulnerability  might  have first been
reported to MS  months or years before they released a patch  or even
acknowledged there was an issue, in some cases.    Sometimes they even
advise, but say there will be no patch  (e.g.  Windows XP and
MS09-048 ).

A  "true"  zero day  like the recent one,  where the exploit is in the
wild and in use by blackhats  prior to  the vendor even being aware of
 a possible vulnerability,  is a different animal,  than routine
security patches (even ones listed as critical or high-priority).

Because (no doubt)  it requires some strong measure of analysis first
to determine what code is being exploited,  in addition to the normal
steps involved in fixing a hole....   e.g.  determining  what the
actual possible bug(s) are, and how to fix, without  probably
introducing new ones,   or  missing some conditions.


More information about the NANOG mailing list