Microsoft strike again (why are we not in the least surprised ...)

Latest announcements detail a Windoze vulnerability when using IE.

http://blogs.technet.com/b/msrc/arch...y-2501696.aspx

and

http://www.microsoft.com/technet/sec...y/2501696.mspx

Seems this flaw is in "all versions of Windoze", restated as "all
supported versions" in another of those links. Probably the case that
Microshaft don't give a **** about those still hanging in with
unsupported versions ...

Wonder if the CSS processing in other browsers exposes the same
underlying Win-exploit.

See also the beeb article at

http://www.bbc.co.uk/news/technology-12325139

who where wrote:

Wonder if the CSS processing in other browsers exposes the same
underlying Win-exploit.

Only Internet Explorer is at risk, because it's the only one that uses
the vulnerable code library.

Though, your thinking that other browsers may also be affected is
entirely understandable, because it's normal practice that Microsoft
gets you to work around the vulnerability by modifying the registry
(which they don't support) rather than run any other browser (which is
never going to happen in a million years).


Apparently, shooting yourself in the foot by releasing insecure code in
ALL versions of your operating system is the normal, preferred,
recommended course of action.

Because come hell or high water, there is no way (flying pigs or not)
that they're going to admit their only browser has yet another security
hole.
--
How come there's only one Monopolies Commission?

who where wrote:

Latest announcements detail a Windoze vulnerability when using IE.

http://www.microsoft.com/technet/sec...y/2501696.mspx

Seems this flaw is in "all versions of Windoze", restated as "all
supported versions" in another of those links.

Probably the case that Microshaft don't give a **** about those
still hanging in with unsupported versions ...

It's not that Macro$haft doesn't "give a ****".

The truth is that Milkrosoft would be too embarrased to admit that
win-9x/me are NOT affected by this vulnerability.

And they're not - I've tested proof-of-concept and example code for this
vulnerability on my win-98 systems and it doesn't work.

In the past (when win-98 was still supported) Meekroshaft would release
advisory notices that made it appear that win-98 was affected by the
announced vulnerability, but only when you drilled down into the details
of the advisory would you find cryptic statements that indicated that
win-98 was NOT affected.

98 Guy wrote:
who where wrote:

Latest announcements detail a Windoze vulnerability when using IE.

http://www.microsoft.com/technet/sec...y/2501696.mspx

Seems this flaw is in "all versions of Windoze", restated as "all
supported versions" in another of those links.

Probably the case that Microshaft don't give a **** about those
still hanging in with unsupported versions ...

It's not that Macro$haft doesn't "give a ****".

The truth is that Milkrosoft would be too embarrased to admit that
win-9x/me are NOT affected by this vulnerability.

And they're not - I've tested proof-of-concept and example code for this
vulnerability on my win-98 systems and it doesn't work.

I'm not saying that your conclusion is wrong, but that the method you
derived to get there was flawed. A vulnerability is one thing, and
exploit code POC is another. If the POC code doesn't support W98, the
exploit won't work, but that does *not* mean that the vulnerability does
not exist. Someone with nothing better to do than craft exploits for
antique machines perhaps could still write one that *does* support W98.

FromTheRafters wrote:

And they're not - I've tested proof-of-concept and example code
for this vulnerability on my win-98 systems and it doesn't work.

I'm not saying that your conclusion is wrong, but that the method
you derived to get there was flawed. A vulnerability is one thing,
and exploit code POC is another.

If the POC code doesn't support W98, the exploit won't work, but
that does *not* mean that the vulnerability does not exist.

Why is it that every time a newly-discovered exploit is found to not
work on win-98, there are those that cling to the belief that win-98
*does contain* the vulnerability - except that the exploit must be coded
slightly differently for it to execute properly on win-98. ?

Someone with nothing better to do than craft exploits for
antique machines perhaps could still write one that *does*
support W98.

You have no basis (for the time being) to suppose that there are
variations on the coding for this vulnerability that will execute
properly on win-9x systems, or that code variations are even a
possibility given the functional details of this exploit.

Most NT-fanbois (NT includes 2K, XP, vista, etc) are very quick to point
out the VAST, HUGE differences between the 9x and NT line of windoze
(differences in how the kernel works, how memory is used, stacks, heaps,
etc). Funny how all these differences seem to melt away when we talk
about these exploits. Funny how all of a sudden 9x is more like NT when
it comes to these exploits.

98 Guy wrote:
FromTheRafters wrote:

And they're not - I've tested proof-of-concept and example code
for this vulnerability on my win-98 systems and it doesn't work.

I'm not saying that your conclusion is wrong, but that the method
you derived to get there was flawed. A vulnerability is one thing,
and exploit code POC is another.

If the POC code doesn't support W98, the exploit won't work, but
that does *not* mean that the vulnerability does not exist.

Why is it that every time a newly-discovered exploit is found to not
work on win-98, there are those that cling to the belief that win-98
*does contain* the vulnerability - except that the exploit must be coded
slightly differently for it to execute properly on win-98. ?

Why is it that even though I carefully worded my post so as to not have
you jump to W98's defense, you still feel that you must do so. My post
wasn't about W98, but about your misconception about how exploit based
malware works.

Someone with nothing better to do than craft exploits for
antique machines perhaps could still write one that *does*
support W98.

You have no basis (for the time being) to suppose that there are
variations on the coding for this vulnerability that will execute
properly on win-9x systems, or that code variations are even a
possibility given the functional details of this exploit.

You are correct, but that doesn't change the fact that your stated
reasoning is flawed. I'm referring to the idea that 'the exploit POC
code didn't work, therefore the OS is not vulnerable to the exploit'.

[...]