Path: g2news1.google.com!news1.google.com!news.glorb.com! news3.optonline.net!pd7cy1no!shaw.ca!pd7tw2no.POSTED!53ab2750!not-for-mail X-Trace-PostClient-IP: 24.86.202.85 From: Brian <br...@stanley-park.com> Subject: Patched in 60 Seconds Newsgroups: microsoft.public.msn.discussion Reply-To: br...@stanley-park.com Lines: 76 User-Agent: KNode/0.7.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7Bit Message-ID: <AzzHc.55859$WB5.44195@pd7tw2no> Date: Fri, 09 Jul 2004 16:18:40 GMT NNTP-Posting-Host: 24.71.223.147 X-Complaints-To: ab...@shaw.ca X-Trace: pd7tw2no 1089389920 24.71.223.147 (Fri, 09 Jul 2004 10:18:40 MDT) NNTP-Posting-Date: Fri, 09 Jul 2004 10:18:40 MDT Organization: Shaw Residential Internet Xref: g2news1.google.com microsoft.public.msn.discussion:1428 Hello Dear Friends: Here is an interesting article about a recent vuln discovered in the open source browser/mail-agents developed by Mozilla. 'Well Well Well', you may be thinking - open source with a discovered exploit! Here is the sad part, from a Microsoft point of view, the vulnerability is only exploitable on Microsoft operating systems because of the embedded IE code built in to Windows. Oops... 8^) Here is another sad part, from a Microsoft point of view, it was patched on the same day that it was revealed. Let's review: Microsoft takes 7 days to patch the recent IE exploit (and the patch was ineffective) and the open source community takes less than a day to patch Mozilla products that operate on Microsoft OSes - really a Windows exploit! Here are some of my favorite passages: <quote> Specifically the vulnerability is a feature: it allows Windows programs to be run remotely through clicking on a link like one of these. The links use the shell: command to run arbitrary Windows programs or, at its most destructive, a denial of service attack on an individual machine by opening up programs that don't exist. The kicker is that this isn't even a problem with Mozilla; it's a problem with Windows Explorer. Windows XP Service Pack 1 was supposed to have closed this hole, but apparently it is still functioning and leaving Windows systems open to remote attack. So the Mozilla team worked to patch a hole that had little to do with their project. Is this really a security hole? When Mozilla receives a shell: request, it passes it on to an external handler in Windows. The "fix" for this is to disable this functionality which, as far as I can tell, is totally unnecessary to begin with. External handlers -- programs outside Mozilla -- have no specific security model, so the only way to deal with them is to make individual exceptions like this one. Messy? Yes. But that's Windows. He who patches first, patches best So we had a fix in less than 24 hours, and the exploit wasn't that bad to begin with. Let's compare this to Microsoft's handling of a recent Internet Explorer exploit that was taken advantage of by the Scob trojan, which sought to steal sensitive personal and financial information from its unknowing victims. The trojan attacked on June 25, and Microsoft had a patch released a quick and speedy seven days later, on July 2. So for seven days a serious hole remained in Internet Explorer, and even then the vulnerability remained! One day for the community to discover, discuss, and patch a Windows security flaw through Mozilla, one week for Microsoft to incorrectly patch a serious IE exploit. Now tell me, Mr. Ballmer, Mr. Gates: Which is the better development model? </quote> When Bill Gates tells you that Microsoft patches fastest and best... Do you believe him? Or is Bill Gates LYING? 8^) Best regards, Brian Linux Mystic open sorcerer
Path: g2news1.google.com!postnews2.google.com!not-for-mail From: "MIGuy" <Mich1...@gmail.com> Newsgroups: microsoft.public.msn.discussion Subject: Re: Patched in 60 Seconds Date: 9 Jul 2004 09:45:35 -0700 Organization: http://groups.google.com Lines: 5 Message-ID: <ccmi3f$c57@odbk17.prod.google.com> NNTP-Posting-Host: odbk17.prod.google.com Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Trace: posting.google.com 1089391535 14724 127.0.0.1 (9 Jul 2004 16:45:35 GMT) X-Complaints-To: groups...@google.com NNTP-Posting-Date: Fri, 9 Jul 2004 16:45:35 +0000 (UTC) In-Reply-To: <AzzHc.55859$WB5.44195@pd7tw2no> User-Agent: G2/0.1 Xref: g2news1.google.com microsoft.public.msn.discussion:1429 Only you can turn a Mozilla security problem item into a bash Microsoft thread. You not only beat a dead horse to death, but you back up and do it again to the point of boring the he$$ out of me. Rest it awhile, its not even newsworthy.
Path: g2news1.google.com!news1.google.com!news.glorb.com!prodigy.com! pd7cy2so!shaw.ca!pd7tw2no.POSTED!53ab2750!not-for-mail X-Trace-PostClient-IP: 24.86.202.85 From: Brian <br...@stanley-park.com> Subject: Re: Patched in 60 Seconds Newsgroups: microsoft.public.msn.discussion Reply-To: br...@stanley-park.com References: <ccmi3f$c57@odbk17.prod.google.com> Lines: 33 User-Agent: KNode/0.7.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7Bit Message-ID: <R7FHc.58342$WB5.27168@pd7tw2no> Date: Fri, 09 Jul 2004 22:38:41 GMT NNTP-Posting-Host: 24.71.223.147 X-Complaints-To: ab...@shaw.ca X-Trace: pd7tw2no 1089412721 24.71.223.147 (Fri, 09 Jul 2004 16:38:41 MDT) NNTP-Posting-Date: Fri, 09 Jul 2004 16:38:41 MDT Organization: Shaw Residential Internet Xref: g2news1.google.com microsoft.public.msn.discussion:1431 MIGuy wrote: > Only you can turn a Mozilla security problem item into a bash Microsoft > thread. You not only beat a dead horse to deathsupposedou back up and > do it again to the point of boring the he$$ out of me. Rest it awhile, > its not even newsworthy. How is that you appear incapable of properly 'replying' to a newgroup post? Why do your 'replies' start a new thread rather than append themselves to the existing thread? Perhaps *YOU* should buy a clue about common newgroup methods before you start accusing others of boring you. And by the way, what do you mean when you say 'bore the he$$ out of me'? Why are you using dollar signs for your Ss and what does 'hess' mean? Look over this newsgroup to see how people reply to posts and then ask yourself, 'What am I doing wrong'? As for my post not being newsworthy, I have to disagree and so do all the news agencies that carried the story all over the 'Net - Perhaps you are wrong! Have a nice day and polish up on how to *properly* post a reply in a newsgroup so you won't make such a fool of yourself next time. Best regards, Brian Linux Mystic open sorcerer