Microsoft Reply

I recieved this in a bugtraq mailing. ken'@FTU found a DoS against IE in 2K and XP.... It is a 2 line object that causes IE to crash. Here is Microsofts reply...

Quote:

---

"Suppose a flaw in a web browser could be misused by a web site to
"hang" the browser of any user who visited the site. If the user were
able to resume normal operation by stopping the browser, restarting it,
and avoiding the attacker's web site in the future, the flaw would not
constitute a security vulnerability."
(For the complete definition of a security vulnerability please see
http://www.microsoft.com/technet/tre...ty/vulnrbl.asp )

---

Sounds like typical Microsoft. If you can restart, then you are ok....

All hail the mighty M$FT three finger salute -- <Ctrl>+<Alt>+<Del>...

What's next... are they just going to ask users to avoid connecting to the internet?
gee.... the sick thing is that this is not even shocking...

its kinda funny that here you have a manufacturer who says that they take a keen interest in network security, however they give you the typical reactive vs proactive response to a threat. "if it happens, do this..." They should instead focus on trying to prevent this vulnerability.

Its not just microsoft either, the whole concept of IDS has some inherent flaws. Break apart the name "intrusion detection system". So it detected an intrusion that already occured??? Big deal. How about developing an"intrusion prevention system"??? The whole reaction response baffles me...

I one day expect to see something like this in the headlines:

<spoof>
Just issued from Microsoft Headquarters in Redmond:

Quote:

---

Microsoft security experts have determined that the new use of "networks" now pose a severe security threat to Windows. It is the duty of all Windows users to protect Windows at all costs. We are recommending disconnecting your computer from all phone, ethernet, and coax cables immediately. In fact, many other, more standard input devices have also been found to cause problems in Windows systems. We therefore also recommend disconnecting any mice, keyboards, or USB devices you currently have connected to your system. In addition, any systems in the "powered off" state also may pose a serious threat to Windows. Our technicians are looking into an eternal power system add-on that will provide users with an un-interrupted, perpetual Windows blue screen of de--EXPERIENCE...I meant experience. An un-interrupted, perpetual Windows experience. Ha ha. Well, that concludes our statement.

---

</spoof>

Don't know if it makes any sense to this thread, but .... a couple of news items i've come across lately indicate that MS seems to be at odds with Sun: Sun is selling their office package ("Star" something) for about eighty-bucks, compared with close to five-hundred for MSOffice, and making serious inroads into that market. Also Sun is making gains (around ten percent they say) in the OS market, and MS says they will stop supporting (i suppose that means no more updates to accomodate, rather than dropping all support?...) Sun Java by 2004. If that's in the works, looks like i gotta figure out what language to replace a lot of my website objects with. Maybe by then i'll be too tired to worry about it, who knows. :(

I read somewhere in M$ site that they're creating one new .NET stuff to replace Sun's JAVA...
IMHO They'll get a lot of trouble, because JAVA is an awesome language that have been developed for years...

But about the Staroffice... I tried when it was freeware...I didn't like it. ok ok I used it in M$ Windows...This can make it different... In *nix should run fine... It looks like the M$ Works... that is almost the same price of S.O. (here, is cheaper)....


______
mOTA

Wow......maybe I should just use Microsoft's reply as life wisdom, if something goes wrong, I'll just avoid it. I think that would be a great tactic at work, I'll just stay home and play on my computer all day since yesterday was just all wrong. And when my car has a problem, it's okay, because I'll go buy a new one. No point in fixing something you can intentionally avoid.

If M$ stops supporting JAVA, they are going to quickly loose out to other browsers that will. That would have to be one of the stupidest things they could do. No one would update past IE 6, hell i stayed at 5. Netscape, mozilla, and numerous other browsers will dive into the market and take over. IMO
x

Quote:

---

Originally posted here by souleman
I recieved this in a bugtraq mailing. ken'@FTU found a DoS against IE in 2K and XP.... It is a 2 line object that causes IE to crash. Here is Microsofts reply...
[...]
Sounds like typical Microsoft. If you can restart, then you are ok....

---

<edit>This actually dates back to something MS posted in December 2000</edit>

<rant>
Oh geez... well, I guess this kind of explains their whole perspective on viruses/trojans, as well... as welll as just their whole attitude in the computer world.

Is it just something up there in that Seattle/Redmond air that rots these people's brains and somehow allows them to think up things like "well, if you just don't do that, then we'll pretend it never happened and that your computer still runs fine." Funny how specifically I believe the RFCs say "that which you don't understand you ignore" (in context of the web browser) not "process it and if it blows chunks call it a feature."

Frankly, I think it's a program's job to not crash and to simply recover gracefully no matter what kind of garbage I throw at it. There's absolutely nothing that I should be able to feed a web browser (or an editor, etc) that will cause it to freak out or whatever... at worst, it should just say "I'm sorry Dave, I'm afraid I can't do that."
</rant>

*SIGH*

I was going to cite a couple of examples with car manufacturers in similiar vain (ie. what would happen if they didn't ...) but I guess when you're dealing with people's lives, then... all bets are probably off.