Anyone see a game changer here?

Bruce Williams williams.bruce at
Fri Jan 22 05:26:45 UTC 2010

The problem with IE is the same problem as Windows, the basic design
is fundementally insecure and "timely updates" can't fix that.


On Thu, Jan 21, 2010 at 9:19 PM, James Hess <mysidia at> wrote:
> On Thu, Jan 21, 2010 at 9:52 PM, Gadi Evron <ge at> wrote:
>> On 1/15/10 5:52 PM, Steven Bellovin wrote:
> ..> 2. Is Microsoft, while usually timely and responsible, completely
>> irresponsible in wanting to patch this only in February? While they patched
>> it sooner (which couldn't have been easy), their over-all policy is very
>> disturbing and in my opinion calls for IE to not be used anymore.
> It is not as if there are a wealth of alternatives.   There are still
> many cases,  where IE  or MSHTML components are a pre-requisite,  to
> access a certain product  that is  important to the user.    A
> canonical example,  would be:
> Intranet apps, web-managed  routers, switches, firewalls, or other
> network infrastructure that can only be administered using MSIE
> version 6 (ActiveX control, or old HTML relying on IE features) --
> probably devices with old software.
> Mail readers such as Outlook with  MSHTML components embedded.
> ..> 3. Why are people treating targeted attacks as a new threat model? Their
>> threat models are just old. This we discussed here.
> It's an old model that could have fallen into some measure of disuse.
>   Targeted  attacks  are possibly riskier to launch than randomly
> dispersed  attacks,  and require an insider or more determined
> attacker  who can effect social engineering in the right place;   the
> result is they are rarer.
> Intuitively,  hardly any user thinks  they can personally be subject
> to a complex targetted attack penetrating multiple security layers and
> requiring obscure enterprise-specific info.... until it happens...
> because people assume complexity of the required attack,  and
> 'security software' such as Antivirus lead to a high level of safety,
> without ever having a logical or statistically rigorous basis for
> arriving at the assumption.
> Perhaps there were so many non-targetted attacks,  that the idea of
> "targetted attack"  was  drowned out of the security dialogue and
> forgotten by some..   or there was a mistaken belief  that  the
> targetted attacks automatically get stopped by the firewall   and
> mod_security...
> --
> I believe 3 to 4  weeks  is par for the course,  with most  major
> software manufacturers, even for a patch to a critical security
> issue...
> It is really impossible to make a reasonable assessment on
> Microsofts' response based on just one event  (where in fact, they
> pulled through).
> I don't perceive that Microsoft have any solid history of being more timely  or
>  more responsible, than other vendors.  In most cases,  they have
> released patches soon after a serious advisory was made public,  but
> the date the vulnerability was first discovered and reported to
> Microsoft,  is not disclosed in the advisory or patch too often, that
> I saw.   As I understand: a vulnerability  might  have first been
> reported to MS  months or years before they released a patch  or even
> acknowledged there was an issue, in some cases.    Sometimes they even
> advise, but say there will be no patch  (e.g.  Windows XP and
> MS09-048 ).
> A  "true"  zero day  like the recent one,  where the exploit is in the
> wild and in use by blackhats  prior to  the vendor even being aware of
>  a possible vulnerability,  is a different animal,  than routine
> security patches (even ones listed as critical or high-priority).
> Because (no doubt)  it requires some strong measure of analysis first
> to determine what code is being exploited,  in addition to the normal
> steps involved in fixing a hole....   e.g.  determining  what the
> actual possible bug(s) are, and how to fix, without  probably
> introducing new ones,   or  missing some conditions.
> --
> -J


“Discovering...discovering...we will never cease discovering...
and the end of all our discovering will be
to return to the place where we began
and to know it for the first time.”
-T.S. Eliot

More information about the NANOG mailing list