BugTraq
Microsoft and Security Jun 25 2004 06:53PM
http-equiv (at) excite (dot) com [email concealed] (1 malware com) (1 replies)


Where is Microsoft now "protecting their customers" as they love
to bray? Should not someone in authority of this public company
step forward and explain themselves at this time?

All of sudden panic is being created across the WWW with "IIS
Exploit Infecting Web Site Visitors With Malware", "Mysterious
Attack Hits Web Servers", "Researchers warn of infectious Web
sites" all stemming from all news accounts from an
unpatched "problem" with Internet Explorer now two weeks old and
counting, which in fact in reality stems from 10 months ago,
that being the adodb.stream safe for scripting control with
write capabilities.

What exactly is being done about this? Nothing. What does
multiple billions of dollars buy you today. Nothing. However for
$20 million you can almost fly to the moon.

Someone ought to step forward and explaini what exactly is
happening at this public company. The great "protector of their
customers". One might even suggest that their entire "security"
mandate be re-examined. What exactly do they consider a
vulnerability? Something that suits them or something that's
cost effective to fix. So what, a few people lose their
identities, have a few dollars extracted from their bank
accounts, have their home pages reset, we'll fix it when it
suits us as we have to be on budget this quarter. The Big Boss
says $40 billion isn't enough this year.

A vulnerability:

http://www.microsoft.com/technet/archive/community/columns/securi
ty/essays/vulnrbl.mspx

"A security vulnerability is a flaw in a product that makes it
infeasible ? even when using the product properly?to prevent an
attacker from usurping privileges on the user's system,
regulating its operation, compromising data on it, or assuming
ungranted trust."

what this gibberish? For the past 10 months the adobd.stream
object is capable of writing files to the "all important
customer's" computer. It has real world consequences. It rapes
their computer. Does it fit into the gibberish custom
definition. Plain and simple: "A security vulnerability is a
flaw in a product that makes it infeasible". What kind of
language is this. Reads like the financial department conjured
it up.

Disabling scripting won't solve it. Putting sites in one of the
myriad of "zones' won't solve it. Internet Explorer can
trivially be fooled into operating in the less than secure so-
called "intranet zone" and it can be guided there remotely.

What's happening here. Where is the Microsoft representative
explaining all of this to the shareholders and "customers" they
so dearly wish to protect. This is unacceptable. Someone must
be held accountable.

--
http://www.malware.com

[ reply ]
Re: Microsoft and Security Jun 26 2004 08:21AM
Radoslav DejanoviÄ? (radoslav dejanovic opsus hr) (1 replies)
Re: Microsoft and Security Jun 28 2004 12:41PM
Justin Wheeler (jwheeler datademons com) (1 replies)
RE: Microsoft and Security Jul 04 2004 09:06PM
Alun Jones (alun texis com) (3 replies)
Re: Microsoft and Security Jul 06 2004 12:33AM
Jason Coombs (jasonc science org)
Re: Microsoft and Security Jul 05 2004 05:58PM
Justin Wheeler (jwheeler datademons com) (1 replies)
RE: Microsoft and Security Jul 05 2004 11:10PM
Alun Jones (alun texis com) (2 replies)
Re: Microsoft and Security Jul 09 2004 03:21PM
Valdis Kletnieks vt edu (1 replies)
Re: Microsoft and Security Jul 12 2004 11:47AM
Charles Otstot (charles otstot ncmail net) (1 replies)
Re: Microsoft and Security Jul 17 2004 12:47AM
Lucas Holt (luke foolishgames com)
RE: Microsoft and Security Jul 06 2004 07:04PM
David F. Skoll (dfs roaringpenguin com) (1 replies)
Re: Microsoft and Security Jul 07 2004 12:57PM
Adam Shostack (adam homeport org)
RE: Microsoft and Security Jul 05 2004 07:40AM
Radoslav Dejanovic (radoslav dejanovic opsus hr)


 

Privacy Statement
Copyright 2010, SecurityFocus