Six-month old IE vulnerabilities

[Lover of quiet computers]

picklepak stated

what about all those holes in IE that remain unpatched after *six months* and allow the execution of malicious code, including code that allow for full system compromise?

What about them? I didn't know such holes existed. Does anyone know where I go to find out about the their exact nature, or details about them?

[Ed_P]

What about them? I didn't know such holes existed.

What makes you think picklepak knows what he's talking about?Are there holes in IE, probably. Have they been there for 6 months, only MS knows and they certainly aren't talking. What can you do to protect yourself, run an antivirus program and keep it current, run a firewall. If possible run a router. By using multiple layers of protection the chances of getting infected by something are greatly reduced.

[nlinecomputers]

Or you could run a different browser and not worry about IE holes. Psst....Mozilla

[ibe98765]

picklepak stated

what about all those holes in IE that remain unpatched after *six months* and allow the execution of malicious code, including code that allow for full system compromise?

What about them? I didn't know such holes existed. Does anyone know where I go to find out about the their exact nature, or details about them?

Of course IE has holes. All software generally does.Some info:30 unpatched IE holesThere are a number of sites offering browser security tests. Here's one:Test Your Browser's SecurityHere's a list of other sites to plow through:Security test sites

[Ed_P]

Or you could run a different browser and not worry about IE holes.

Yeah, use an alternative like Netscape and watch the company fold or dismantle it's future development. Don't be fooled by those touting alternative browsers and mail clients. ALL of them are suseptible to being attacked. Multiple layers of protection is the closest you're going to get to total protection short of turning the pc off.

[Guest ThunderRiver]

Yes, I definitely agree with Edp on that one.Even Mozilla has holes too, and the development is heavily relying on BugZilla.. and if BugZilla fails to find a vulnerability.... oh oops..

[nlinecomputers]

Yeah, use an alternative like Netscape and watch the company fold or dismantle it's future development.

Mozilla IS Netscape always was. AOL shut netscape down but the Mozilla project is still progressing just fine thank you. NO development has been halted here. Microsoft on the other hand has stated that they aren't planning on any version 7 of Interent Explorer. Nor will any changes be stand alone. You want a newer version of IE get Longhorn.I did not say that Mozilla has no holes. This thread implies that MS is sitting on holes in IE and not doing anything about them and often tries to hide them. In Mozilla anybody can make a bugzilla report and anybody can read the results. Heck if your a programer you can even FIX the bug and contribute that to the CVS. Can you do that with Microsoft?

[nlinecomputers]

Even Mozilla has holes too, and the development is heavily relying on BugZilla.. and if BugZilla fails to find a vulnerability.... oh oops..

Uh BugZilla is a bug reporting and tracking tool not a debuging tool. What exactly can "BugZilla" do to FIND a vulnerability? The users find vulnerabilties just like they find them in any product. They use BugZilla to REPORT the bug not fix it. It is up to the developers to do that.

[Stryder]

Even Mozilla has holes too, and the development is heavily relying on BugZilla.. and if BugZilla fails to find a vulnerability.... oh oops..

Uh BugZilla is a bug reporting and tracking tool not a debuging tool. What exactly can "BugZilla" do to FIND a vulnerability? The users find vulnerabilties just like they find them in any product. They use BugZilla to REPORT the bug not fix it. It is up to the developers to do that.

Thanks nline for clearing that up. BugZilla is a great way of reporting bugs and it allows the entire world to help improve the product.

[beeTee]

Some info:30 unpatched IE holes

Interesting. I think what's scary about what this arcticle says is the warning Microsoft gives in the patch selection: "This is still a vulnerability even if you don't use IE as your default browsers" (or something to that effect).Since IE is integrated with Explorer functionality, does it not make your computer vulnerable whether you use IE or not?? Or am I missing the point here?

[nlinecomputers]

Some info:30 unpatched IE holes

Interesting. I think what's scary about what this arcticle says is the warning Microsoft gives in the patch selection: "This is still a vulnerability even if you don't use IE as your default browsers" (or something to that effect).Since IE is integrated with Explorer functionality, does it not make your computer vulnerable whether you use IE or not?? Or am I missing the point here?

That is the point. You can't ignore IE patches. I put everyone of them on my system even though I don't use it. However I do use it on Microsoft sites as Mozilla doesn't work well on them(big suprise there...)

[pc-tecky]

Don't be fooled by those touting alternative browsers and mail clients.  ALL of them are suseptible to being attacked.  Multiple layers of protection is the closest you're going to get to total protection short of turning the pc off.

I agree. However, not using the computer is the most extreme measure. Not connecting to the internet and not sharing files, floppies, CD-Rs/CD-RWs, etc. should leave you relatively free from exploits. Otherwise, why bother even getting a computer??

[Ed_P]

Not connecting to the internet and not sharing files, floppies, CD-Rs/CD-RWs, etc. should leave you relatively free from exploits.

True, but then

why bother even getting a computer??

There are less expensive ways to balance your checkbook, write documents and heat the office.

[Ed_P]

Mozilla IS Netscape always was.  ....I did not say that Mozilla has no holes.  This thread implies that MS is sitting on holes in IE and not doing anything about them and often tries to hide them.  ......

I don't agree. Netscape is Mozilla with other features added not vica versa.Your recommendation to the thread's concern was to choose a different browser.

Or you could run a different browser and not worry about IE holes.

, to which my obscure point was even different browsers have problems such as being dropped by their vendor. As for hidden browser holes, which option offers better security; publicly disclosing each and every hole and how to exploit it or keeping them hidden until they can be fixed. If you were going to write a virus which option would help you the most?

[nlinecomputers]

As for hidden browser holes, which option offers better security; publicly disclosing each and every hole and how to exploit it or keeping them hidden until they can be fixed. If you were going to write a virus which option would help you the most?

That assumes that both methods are equally able and desire to FIX the vulnerability. This thread is about how IE doesn't fix it's problems. Most true critical holes in Open source products are fixed with in days of finding it. Even in the rare cases where is doesn't happen once an exploit occurs the problem is quickly fixed. For example the debian servers were compromised by an attack on a hole in the kernel that was known about and published for 9 weeks but rated(mistakenly in hindsight) as a low risk. Once Debian announced that they had been hacked an discovered HOW the attack occurred a patch come forth THAT DAY from the 2.4 kernel team. Yes you risk arming the virus writers but I’ll take that risk over the reaction time to fix the problem and the accountability any day over the chaos and denial that runs patch management and security at Microsoft.

I don't agree. Netscape is Mozilla with other features added not visa versa.

And YOUR POINT? I said use Mozilla and you implied that it was an abandoned product. It isn't. I don't follow your complaint. Who the heck cares if NETSCAPE isn't around anymore. They haven't made a browser in 4 to 5 years. Mozilla did all the work and Netscape just relabeled it and added there logo and bunch of bloat to the product.

Your recommendation to the thread's concern was to choose a different browser.

And it still is. One of the main reasons I don't use IE is to avoid all the security issues with it. I don't get browser hijacked, active X crap or the other junk the typical IE user has to deal with. I spend every day running spybot and ad aware on end user systems that have been vandalized because of the problems with IE. I'm sorry that you disagree but ditching the IE browser for Mozilla is a valid response to it's serious security risks. Just like changing locks on your front door is a valid response to a break in.

[Guest LilBambi]

We definitely can't ignore the vulnerabilities even if we use another browser. They are still there and apparently the main source of the vulnerabilities is the local zone handling.Here's a program that may help take care of the local zone problems so these vulnerabilities are addressed whether Microsoft fixes them or not. Also it can be turned off and on at will.Sounds pretty cool, testing it myself right now.Qwik-Fixâ„¢. Created by PivX Solutions, a security company who is offering it free for commercial and non-commercial use. Beta version, but appears quite stable here on Win98SE.

Qwik-Fix™ provides another layer of essential security by closing off the pathways that worms and viruses use to penetrate your PC.. It does not affect any of your virus programs, firewall or other programs. Had users installed Qwik-Fix™ on their PC’s, the recent LovSan/MS Blaster worm and the Sobig virus would have had no impact on them. And, it will close the doors that the next worm will try to enter thru to infect and spread its payload.Qwik-Fix™ is a product of PivX LABS, and results from our work with some of the largest companies in the world. PivX is a premier security research company which has focused its security research efforts on Microsoft’s Windows® and its ubiquitous Internet browser, Internet Explorer. PivX and its worldwide network of security researchers has located, tested and verified hundreds of security vulnerabilities in Internet Explorer alone. As a public service, PivX has also maintained a FREE public online listing of the vulnerabilities that were patched and those that remained Unpatched. Now we have developed Qwik-Fix™, a tool which helps protect your PC from these risky vulnerabilities.Qwik-Fix™ is designed to pro-actively prevent known software vulnerabilities in Windows and Internet Explorer from being exploited by malicious hackers, virus writers and worm writers. Qwik-Fix™ is simple to use, Qwik-Fix™ is easy to download and install. Qwik-Fix™ is dynamic in that it serves as a temporary fix to known vulnerabilities until Microsoft releases a periodic monthly cumulative patch or a new Service Pack. As we find new vulnerabilities our subscribers will be updated immediately, thus staying one step ahead of the bad guys.

How does it work?Qwik-Fixâ„¢ changes baseline system settings and features which the majority of users do not need. This is a proactive step to stop worms and viruses like Blaster and SoBig from infecting innocent users and then further spreading. If you would like to know just how Qwik-Fixâ„¢ works, please contact a PivX representative for a NDA (Non Disclosure Agreement).

From the Qwik-Fixâ„¢ FAQThis program was noted here in a posting to Security Focus: FW: Comments on 5 IE vulnerabilities

[Gus K]

Yeah, use an alternative like Netscape and watch the company fold or dismantle it's future development.

Who cares, for now one download of Firebird will provide a vastly more secure browser, without the need to patch it every 10 minutes like IE. And as I recall it was a company named Netscape that started the whole ball rolling, while it wasn't too long that Bill Gates refered to the internet as "a toy". What a visionary.

[Guest LilBambi]

Actually, if you are talking about Testimony of Bill Gates to the Committee on the Judiciary United States Senate (March 3, 1998) , which is also posted on Microsoft's site as well here, he actually referred to the personal computer as a toy in testimony:

Today, the personal computer has become a powerful and easy-to-use fixture in most offices and is becoming more common in our schools and in our homes. Prices for personal computers continue to fall, even as PCs become more powerful and offer greater features than ever before. As recently as 1990, for example, a typical personal computer with an Intel 386 chip, 2Mb of RAM and a 60 Mb hard drive cost about $3,000. Today, for half the price you can buy a multimedia personal computer with an Intel Pentium chip that is 8 times faster, has 16 times more RAM, 65 times more storage capacity, a CD-ROM drive and, of course, a vastly improved operating system. Just two weeks ago, The Washington Post touted an upsurge in sales of $1,000 PCs and predicted that prices would fall even lower. (A Hewlett-Packard representative was quoted as predicting $599 PCs by Christmas.) As prices continue to spiral downward while performance improves at an accelerating rate, soon every business, school and household will be able to take advantage of the enormous benefits from what was once thought of as a luxury or as an expensive toy. Personal computers will become as commonplace in American households as a television or a telephone.

Unless you had a different quote in mind.

[Ed_P]

Once Debian announced that they had been hacked an discovered HOW the attack occurred a patch come forth THAT DAY from the 2.4 kernel team. Yes you risk arming the virus writers but I’ll take that risk over the reaction time to fix the problem and the accountability any day over the chaos and denial that runs patch management and security at Microsoft.

"a patch come forth THAT DAY". So, an IE patch for the SoBig virus had come out a month or so before the virus hit but many didn't install it. Developing patches after the fact, and requiring the client to be constantly checking for fixes, is ineffective. MS has WU for IE and clients didn't use it, what does Mozilla use to apply these same day fixes that's more effective than WU?

For example the debian servers were compromised by an attack on a hole in the kernel that was known about and published for 9 weeks but rated(mistakenly in hindsight) as a low risk.

Apparently the Mozilla developers follow MS's philosophy. And switching from IE, which is accused of not fixing every known hole immediately, to Mozilla, which has a hole which is public knowledge for 9 weeks (ie over 2 months), is a better option eh?

And YOUR POINT? I said use Mozilla and you implied that it was an abandoned product.

No, you said

Mozilla IS Netscape always was.

and that is incorrect. Netscape is Mozilla with features added in. Mozilla isn't Netscape with features removed. And Mozilla will continue being developed even though Netscape is dormant, again. Mozilla may even preceed Netscape's Mosaic beginnings but I'm not sure.You also said to use a different browser to resolve all the problems assocaited with IE. My, apparently obscure, point was using a different browser, like my use of Netscape, isn't a perfect solution, one may find that the different browser has different problems like frozen development.

Who the heck cares if NETSCAPE isn't around anymore.

Well, gee, I do. I like my Netscape.

I spend every day running spybot and ad aware on end user systems that have been vandalized because of the problems with IE.

I find most adware/spyware problems are related to the naive and foolish clients, or their family members, thinking that all the free cute smilies and music and taskbar aides are so great to have and easy to install and just like their friends and etc, rather than IE problems.

ditching the IE browser for Mozilla is a valid response to it's serious security risks. Just like changing locks on your front door is a valid response to a break in.

So too is running an AV and a firewall a valid response. You don't have replace the door to prevent break ins, you can add a dead bolt. And it would be better to do it before the break in rather than as a response after one. BTW IMHO a better response to a door break in is to move!

[Ed_P]

it wasn't too long that Bill Gates refered to the internet as "a toy".

If Lil Bambi is right with her source of the quote, it was 5 1/2 YEARS ago to which Gates spoke of "what was once thought of as a luxury or as an expensive toy." which was also past tense and not in the first person then I would say it was definite a LONG time ago. Especially in terms of technology. The quote also doesn't imply that Gates had that thought rather that he knew OTHERS once did.

And as I recall it was a company named Netscape that started the whole ball rolling,

It believe it was a college kid named Marc Andreessen and his software called Mosaic actually. MS didn't become overly involved until Andreessen challenged Gates with his famous Netscape would "take over the whole desktop." quote. That was like waving a red flag in front of a bull.

[Guest LilBambi]

When I started using NCSA Mosaic created by Marc Andreesen with some fellow employees from NCSA in 1992, it was the coolest thing out there! The first graphically oriented browser available and Internet Explorer wasn't even a twinkle in Bill Gate's eye at the time.

[ibe98765]

Actually, if you are talking about Testimony of Bill Gates to the Committee on the Judiciary United States Senate (March 3, 1998) , which is also posted on Microsoft's site as well here, he actually referred to the personal computer as a toy in testimony:

Today, the personal computer has become a powerful and easy-to-use fixture in most offices and is becoming more common in our schools and in our homes. Prices for personal computers continue to fall, even as PCs become more powerful and offer greater features than ever before. As recently as 1990, for example, a typical personal computer with an Intel 386 chip, 2Mb of RAM and a 60 Mb hard drive cost about $3,000. Today, for half the price you can buy a multimedia personal computer with an Intel Pentium chip that is 8 times faster, has 16 times more RAM, 65 times more storage capacity, a CD-ROM drive and, of course, a vastly improved operating system. Just two weeks ago, The Washington Post touted an upsurge in sales of $1,000 PCs and predicted that prices would fall even lower. (A Hewlett-Packard representative was quoted as predicting $599 PCs by Christmas.) As prices continue to spiral downward while performance improves at an accelerating rate, soon every business, school and household will be able to take advantage of the enormous benefits from what was once thought of as a luxury or as an expensive toy. Personal computers will become as commonplace in American households as a television or a telephone.

Unless you had a different quote in mind.

I think the quote is being taken out of context. He was referring to how PC's were viewed at some point prior to this statement. And what he is saying was generally correct at the time.Here's an interview so everyone can check what Gates is saying these days (note, it's a 3 part interview so you'll have to follow the links forward):http://www.alwayson-network.com/comments.p...id=1850_0_1_0_C

[Guest LilBambi]

He was referring to how PC's were viewed at some point prior to this statement.  And what he is saying was generally correct at the time.

Exactly, ibe98765.Yes, that was pretty clear in the quote....Bill Gates was referring to a statement by someone (he didn't identify who) that had said (in history) said the PC was a luxury or a very expensive toy.