August 13th, 2002, 04:13 PM
Yet another IE flaw...SSL this time
Thats right folks...SSL is not secure and hasn't been for 5 years. I thinkk what irks me the worst here is the M$ response..." "What this means is that all the cryptographic protections of SSL don't work if you're a Microsoft IE user," Schneier added. Microsoft downplays report
Microsoft is investigating the IE flaw, said Scott Culp, manager of the Microsoft Security Response Center. Certain mitigating factors diminish the risk to users, he added.
Let's see...could those 'mitigating factors' include being smart enough to not use IE? And while we're at it...M$ 'downplays' this gaping hole in IE...real smart M$...your software has a hole that allows credit card numbers to be stolen and you say it's not a big deal? Those numbers belong to people who are YOUR customers, you heartless bastards!
Want to read the story?
It isn't paranoia when you KNOW they're out to get you...
August 13th, 2002, 04:24 PM
Good info thanks for the post. It is good to get a handle on as many M$ "features" as possible
\"We are pressing through the sphincter of assholiness\"
August 13th, 2002, 06:25 PM
Ugh, does anyone know if MS is working on a patch for this, or if they are just going to try to downplay this whole thing and hope that it goes away.
My question is HOW does something like this get by their QA? I mean SSL was designed the thwart "man in the middle" attacks, but their implementation of it is completely vulnerable to it. Sheesh, you would think that their QA team would learn after a while.
August 13th, 2002, 06:32 PM
Microsoft's IE utilization of the SSL certificates is what is broken. But this is not limited to just IE, the Konquoror brower found commonly in Linux distros. is also effect with the same flaw. But we must understand that not ALL SSL is broken. In fact SSL is still secure, but the way that the certificates are handled is not.
A nasty site operator can sign an invalid certificated with the signature of a valid one, and the browsers (IE, Konq.) do not test the validity of the signer. So if your viewing reputable sites, your data is still fairly safe.
More can be found on the flaw here: http://www.theregister.co.uk/content/55/26620.html
But on the flip side looks as if Konquoror has developed a patch already to bad MS hasn't.
August 13th, 2002, 06:43 PM
I loved the Sun LX 50 ad introducing Linux on a Sun server today:
Quote: "We would've put Windows on it too, but there wasn't enough room for all the security patches".
San Jose Mercury News - Tuesday, Aug. 13th 2002
What a great way to start my morning by reading that :-)
August 13th, 2002, 06:47 PM
well I know that Konqueror has a fix out, and the Opera has one too. I also understand how the vulnerability works. My concern comes in to the speed with which MS responds to security holes of this magnitude.
According to the first article MS is still "reviewing" this scenario, while the open source folks already have patches out.
It's fine and dandy that the open source community has fixed their implementations, but MS still has about 90% of the browser market so there is still a HUGE risk exposure for the vast majority of companies and end users.
loves MS's "new outlook on security"
August 13th, 2002, 07:42 PM
Is mozilla vulnerable? Just woundering. I still use IE periodicaly since my mom refuses to use mozilla. I have hered that Microsoft is trying to improve the security of their software by changeing the codeing. Not sure how true that is. I think Microsoft needs to spend more time testing before they release their products to the market. My opinion anyway.
In snatches, they learn something of the wisdom
which is of good, and more of the mere knowledge which is of evil. But must I know what must not come, for I shale become those of knowledgedome. Peace~
August 13th, 2002, 08:30 PM
ele5125 - my understanding is that Mozilla is NOT vulnerable to this "exploit", and has been tested. There were a couple of others out there that looked like they were doing the same "attempt" at verification of the certificate that MS was doing and therefore were vulnerable, but they have already patched unlike MS.
wonders about MS's QA dept
August 16th, 2002, 03:40 PM
Has anyone else noticed that MS is being particularly quiet about this vulnerability?
No patch, no comments. Hmm...
Yesterday on one of the lists I'm part of someone said they had seen a patch for this on the MS website, but that it was removed. There was even a Q number attached to it, and emails were sent out to "gold" support customers, but now it's gone and even the gold links don't work.
I got independant verification of the email from some of my "gov't" sources, and they say that they don't have a copy of the IE 6.x SP1 "patch" that the email refers to. They also say that MS is not returning their calls regarding this. Makes one wonder....
August 16th, 2002, 04:38 PM
I would have to agree with the rest of the posters on this thread, although I know I am preaching to the choir. About a month or so ago I went to a Microsoft security training class put on by New Horizons. Throughout the class the instructor was touting how M$ had declared security to be top priority. Their goal was to change their image and show that they took security seriously.
However, when an incident like this crops up they do a couple of things that make it clear that when they say security it is giving people a false sense of security in their product. First they complained that the person who found this flaw posted it to a popular security website (which one was not mentioned). Since this vulnerability could affect different browsers (as indeed it did) I would consider this a smart move. M$ felt he should have contacted them directly. I think M$ would have been contacted directly if they didn't appear to treat everyone who finds holes like an enemy to be crushed rather than an ally to be praised. Then they declared it a minor problem, a statement which is directly opposed by a number of security specialists. Finally they give a cryptic, we are studying the problem to see if there is a problem type statement.
If they want to improve their image and their response they should 1) thank the man for finding their bug for them, 2) acknowledge the problem and state that they are working to rectify it. 3) They might even want to tap into the resources by consulting with the person who found it and the others who have tested and documented it to get input on fixing it.
If they started acting this way maybe these "beta testers", as most hackers truly are, would start contacting them directly rather than going to public sites so some attention will be paid to the problem. As one last final note though we must remember that M$ is not the only software company who has shown this tendency to hide the facts hoping they will go away rather than fix them. Most have also heard of Sun doing this which led to the development of SATAN and many other events where bean counters and pencil pushers make decisions based upon money and convenience rather than what is right and, in the long run, beneficial to the both the community and the company.
\"We are pressing through the sphincter of assholiness\"