The problem with IE is the same problem as Windows, the basic design is fundementally insecure and "timely updates" can't fix that.
Bruce On Thu, Jan 21, 2010 at 9:19 PM, James Hess <mysi...@gmail.com> wrote: > On Thu, Jan 21, 2010 at 9:52 PM, Gadi Evron <g...@linuxbox.org> wrote: >> On 1/15/10 5:52 PM, Steven Bellovin wrote: > ..> 2. Is Microsoft, while usually timely and responsible, completely >> irresponsible in wanting to patch this only in February? While they patched >> it sooner (which couldn't have been easy), their over-all policy is very >> disturbing and in my opinion calls for IE to not be used anymore. > > It is not as if there are a wealth of alternatives. There are still > many cases, where IE or MSHTML components are a pre-requisite, to > access a certain product that is important to the user. A > canonical example, would be: > > Intranet apps, web-managed routers, switches, firewalls, or other > network infrastructure that can only be administered using MSIE > version 6 (ActiveX control, or old HTML relying on IE features) -- > probably devices with old software. > Mail readers such as Outlook with MSHTML components embedded. > > ..> 3. Why are people treating targeted attacks as a new threat model? Their >> threat models are just old. This we discussed here. > > It's an old model that could have fallen into some measure of disuse. > Targeted attacks are possibly riskier to launch than randomly > dispersed attacks, and require an insider or more determined > attacker who can effect social engineering in the right place; the > result is they are rarer. > > Intuitively, hardly any user thinks they can personally be subject > to a complex targetted attack penetrating multiple security layers and > requiring obscure enterprise-specific info.... until it happens... > because people assume complexity of the required attack, and > 'security software' such as Antivirus lead to a high level of safety, > without ever having a logical or statistically rigorous basis for > arriving at the assumption. > > Perhaps there were so many non-targetted attacks, that the idea of > "targetted attack" was drowned out of the security dialogue and > forgotten by some.. or there was a mistaken belief that the > targetted attacks automatically get stopped by the firewall and > mod_security... > > -- > I believe 3 to 4 weeks is par for the course, with most major > software manufacturers, even for a patch to a critical security > issue... > > > It is really impossible to make a reasonable assessment on > Microsofts' response based on just one event (where in fact, they > pulled through). > > I don't perceive that Microsoft have any solid history of being more timely > or > more responsible, than other vendors. In most cases, they have > released patches soon after a serious advisory was made public, but > the date the vulnerability was first discovered and reported to > Microsoft, is not disclosed in the advisory or patch too often, that > I saw. As I understand: a vulnerability might have first been > reported to MS months or years before they released a patch or even > acknowledged there was an issue, in some cases. Sometimes they even > advise, but say there will be no patch (e.g. Windows XP and > MS09-048 ). > > > A "true" zero day like the recent one, where the exploit is in the > wild and in use by blackhats prior to the vendor even being aware of > a possible vulnerability, is a different animal, than routine > security patches (even ones listed as critical or high-priority). > > Because (no doubt) it requires some strong measure of analysis first > to determine what code is being exploited, in addition to the normal > steps involved in fixing a hole.... e.g. determining what the > actual possible bug(s) are, and how to fix, without probably > introducing new ones, or missing some conditions. > > > -- > -J > > -- “Discovering...discovering...we will never cease discovering... and the end of all our discovering will be to return to the place where we began and to know it for the first time.” -T.S. Eliot
