Anyone see a game changer here?
williams.bruce at gmail.com
Fri Jan 22 05:26:45 UTC 2010
The problem with IE is the same problem as Windows, the basic design
is fundementally insecure and "timely updates" can't fix that.
On Thu, Jan 21, 2010 at 9:19 PM, James Hess <mysidia at gmail.com> wrote:
> On Thu, Jan 21, 2010 at 9:52 PM, Gadi Evron <ge at linuxbox.org> wrote:
>> On 1/15/10 5:52 PM, Steven Bellovin wrote:
> ..> 2. Is Microsoft, while usually timely and responsible, completely
>> irresponsible in wanting to patch this only in February? While they patched
>> it sooner (which couldn't have been easy), their over-all policy is very
>> disturbing and in my opinion calls for IE to not be used anymore.
> It is not as if there are a wealth of alternatives. There are still
> many cases, where IE or MSHTML components are a pre-requisite, to
> access a certain product that is important to the user. A
> canonical example, would be:
> Intranet apps, web-managed routers, switches, firewalls, or other
> network infrastructure that can only be administered using MSIE
> version 6 (ActiveX control, or old HTML relying on IE features) --
> probably devices with old software.
> Mail readers such as Outlook with MSHTML components embedded.
> ..> 3. Why are people treating targeted attacks as a new threat model? Their
>> threat models are just old. This we discussed here.
> It's an old model that could have fallen into some measure of disuse.
> Targeted attacks are possibly riskier to launch than randomly
> dispersed attacks, and require an insider or more determined
> attacker who can effect social engineering in the right place; the
> result is they are rarer.
> Intuitively, hardly any user thinks they can personally be subject
> to a complex targetted attack penetrating multiple security layers and
> requiring obscure enterprise-specific info.... until it happens...
> because people assume complexity of the required attack, and
> 'security software' such as Antivirus lead to a high level of safety,
> without ever having a logical or statistically rigorous basis for
> arriving at the assumption.
> Perhaps there were so many non-targetted attacks, that the idea of
> "targetted attack" was drowned out of the security dialogue and
> forgotten by some.. or there was a mistaken belief that the
> targetted attacks automatically get stopped by the firewall and
> I believe 3 to 4 weeks is par for the course, with most major
> software manufacturers, even for a patch to a critical security
> It is really impossible to make a reasonable assessment on
> Microsofts' response based on just one event (where in fact, they
> pulled through).
> I don't perceive that Microsoft have any solid history of being more timely or
> more responsible, than other vendors. In most cases, they have
> released patches soon after a serious advisory was made public, but
> the date the vulnerability was first discovered and reported to
> Microsoft, is not disclosed in the advisory or patch too often, that
> I saw. As I understand: a vulnerability might have first been
> reported to MS months or years before they released a patch or even
> acknowledged there was an issue, in some cases. Sometimes they even
> advise, but say there will be no patch (e.g. Windows XP and
> MS09-048 ).
> A "true" zero day like the recent one, where the exploit is in the
> wild and in use by blackhats prior to the vendor even being aware of
> a possible vulnerability, is a different animal, than routine
> security patches (even ones listed as critical or high-priority).
> Because (no doubt) it requires some strong measure of analysis first
> to determine what code is being exploited, in addition to the normal
> steps involved in fixing a hole.... e.g. determining what the
> actual possible bug(s) are, and how to fix, without probably
> introducing new ones, or missing some conditions.
“Discovering...discovering...we will never cease discovering...
and the end of all our discovering will be
to return to the place where we began
and to know it for the first time.”
More information about the NANOG