If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Microsoft strike again (why are we not in the least surprised ...)
Latest announcements detail a Windoze vulnerability when using IE.
http://blogs.technet.com/b/msrc/arch...y-2501696.aspx and http://www.microsoft.com/technet/sec...y/2501696.mspx Seems this flaw is in "all versions of Windoze", restated as "all supported versions" in another of those links. Probably the case that Microshaft don't give a **** about those still hanging in with unsupported versions ... Wonder if the CSS processing in other browsers exposes the same underlying Win-exploit. See also the beeb article at http://www.bbc.co.uk/news/technology-12325139 |
#2
|
|||
|
|||
Microsoft strike again (why are we not in the least surprised...)
who where wrote:
Wonder if the CSS processing in other browsers exposes the same underlying Win-exploit. Only Internet Explorer is at risk, because it's the only one that uses the vulnerable code library. Though, your thinking that other browsers may also be affected is entirely understandable, because it's normal practice that Microsoft gets you to work around the vulnerability by modifying the registry (which they don't support) rather than run any other browser (which is never going to happen in a million years). Apparently, shooting yourself in the foot by releasing insecure code in ALL versions of your operating system is the normal, preferred, recommended course of action. Because come hell or high water, there is no way (flying pigs or not) that they're going to admit their only browser has yet another security hole. -- How come there's only one Monopolies Commission? |
#3
|
|||
|
|||
Microsoft strike again (why are we not in the least surprised ...)
who where wrote:
Latest announcements detail a Windoze vulnerability when using IE. http://www.microsoft.com/technet/sec...y/2501696.mspx Seems this flaw is in "all versions of Windoze", restated as "all supported versions" in another of those links. Probably the case that Microshaft don't give a **** about those still hanging in with unsupported versions ... It's not that Macro$haft doesn't "give a ****". The truth is that Milkrosoft would be too embarrased to admit that win-9x/me are NOT affected by this vulnerability. And they're not - I've tested proof-of-concept and example code for this vulnerability on my win-98 systems and it doesn't work. In the past (when win-98 was still supported) Meekroshaft would release advisory notices that made it appear that win-98 was affected by the announced vulnerability, but only when you drilled down into the details of the advisory would you find cryptic statements that indicated that win-98 was NOT affected. |
#4
|
|||
|
|||
Microsoft strike again (why are we not in the least surprised...)
98 Guy wrote:
who where wrote: Latest announcements detail a Windoze vulnerability when using IE. http://www.microsoft.com/technet/sec...y/2501696.mspx Seems this flaw is in "all versions of Windoze", restated as "all supported versions" in another of those links. Probably the case that Microshaft don't give a **** about those still hanging in with unsupported versions ... It's not that Macro$haft doesn't "give a ****". The truth is that Milkrosoft would be too embarrased to admit that win-9x/me are NOT affected by this vulnerability. And they're not - I've tested proof-of-concept and example code for this vulnerability on my win-98 systems and it doesn't work. I'm not saying that your conclusion is wrong, but that the method you derived to get there was flawed. A vulnerability is one thing, and exploit code POC is another. If the POC code doesn't support W98, the exploit won't work, but that does *not* mean that the vulnerability does not exist. Someone with nothing better to do than craft exploits for antique machines perhaps could still write one that *does* support W98. |
#5
|
|||
|
|||
Microsoft strike again (why are we not in the least surprised...)
FromTheRafters wrote:
And they're not - I've tested proof-of-concept and example code for this vulnerability on my win-98 systems and it doesn't work. I'm not saying that your conclusion is wrong, but that the method you derived to get there was flawed. A vulnerability is one thing, and exploit code POC is another. If the POC code doesn't support W98, the exploit won't work, but that does *not* mean that the vulnerability does not exist. Why is it that every time a newly-discovered exploit is found to not work on win-98, there are those that cling to the belief that win-98 *does contain* the vulnerability - except that the exploit must be coded slightly differently for it to execute properly on win-98. ? Someone with nothing better to do than craft exploits for antique machines perhaps could still write one that *does* support W98. You have no basis (for the time being) to suppose that there are variations on the coding for this vulnerability that will execute properly on win-9x systems, or that code variations are even a possibility given the functional details of this exploit. Most NT-fanbois (NT includes 2K, XP, vista, etc) are very quick to point out the VAST, HUGE differences between the 9x and NT line of windoze (differences in how the kernel works, how memory is used, stacks, heaps, etc). Funny how all these differences seem to melt away when we talk about these exploits. Funny how all of a sudden 9x is more like NT when it comes to these exploits. |
#6
|
|||
|
|||
Microsoft strike again (why are we not in the least surprised...)
98 Guy wrote:
FromTheRafters wrote: And they're not - I've tested proof-of-concept and example code for this vulnerability on my win-98 systems and it doesn't work. I'm not saying that your conclusion is wrong, but that the method you derived to get there was flawed. A vulnerability is one thing, and exploit code POC is another. If the POC code doesn't support W98, the exploit won't work, but that does *not* mean that the vulnerability does not exist. Why is it that every time a newly-discovered exploit is found to not work on win-98, there are those that cling to the belief that win-98 *does contain* the vulnerability - except that the exploit must be coded slightly differently for it to execute properly on win-98. ? Why is it that even though I carefully worded my post so as to not have you jump to W98's defense, you still feel that you must do so. My post wasn't about W98, but about your misconception about how exploit based malware works. Someone with nothing better to do than craft exploits for antique machines perhaps could still write one that *does* support W98. You have no basis (for the time being) to suppose that there are variations on the coding for this vulnerability that will execute properly on win-9x systems, or that code variations are even a possibility given the functional details of this exploit. You are correct, but that doesn't change the fact that your stated reasoning is flawed. I'm referring to the idea that 'the exploit POC code didn't work, therefore the OS is not vulnerable to the exploit'. [...] |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Surprised! | webster72n | General | 108 | June 17th 10 02:22 AM |
Surprised! | webster72n | General | 0 | June 9th 10 06:29 PM |
Microsoft Takes on Google and Yahoo with Microsoft Adcenter and Adlabs | [email protected] | General | 1 | May 8th 07 01:55 AM |
Microsoft makes errors in Microsoft Security Advisory (912840) | Jim | General | 22 | January 5th 06 04:56 PM |
What is Microsoft Plus! 98 | Ron Badour | General | 1 | July 30th 04 03:01 AM |