Please, take the conspiracy theorist motivated part of this discussion
to alt dot something.
This thread should be about the present risks, workarounds, and
degrees of exposure in the wild - that is, keep to YOUR subject.
imhotep said:Michael said:[snip]Microsoft Zero Day security holes being exploited
"Microsoft has issued warnings about a serious flaw in Internet Explorer
that allows attackers to hijack a PC via the popular browser
Workaround:
regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
I've done that and tested successfully (see below).
A non-Microsoft fix: <http://isotf.org/zert/download.htm>.
To test, see (at your own risk) <http://www.isotf.org/zert/testvml.htm>.
Nice job...
Roger said:If you are a skilled car driver why would you choose to use only an
inferior, cheaply made, sardine tin of an auto that could not meet the
safety standards of many governments of the day ?
Why did safe sting classes come about?
Would you choose to go back to GO TO based programming?
Use of a language that enforces safe code is a good thing.
Remember Dijstra? The set of 4 constructs proved sufficient for
any general purpose language? Remember the arguably academic
language Pascal (Wirth?) designed to show this? Remember how
that ushered in a new era in programming and vastly simplified
software lifecycles?
Are you saying that languages designed to not allow major problems
plaguing the sofeware industry are worth naught ?
You surely do sound to be doing so.
Roger said:imhotep said:Michael said:Microsoft Zero Day security holes being exploited
"Microsoft has issued warnings about a serious flaw in Internet Explorer
that allows attackers to hijack a PC via the popular browser
[snip]
Workaround:
regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
I've done that and tested successfully (see below).
A non-Microsoft fix: <http://isotf.org/zert/download.htm>.
To test, see (at your own risk) <http://www.isotf.org/zert/testvml.htm>.
Nice job...
Actually, it is not that good to the world however.
regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
which is the first workaround mentioned in the MS advisory,
may fail in some locales.
As Jesper (and others) have indicated,
it should use %CommonProgramFiles%
http://msinfluentials.com/blogs/jes...Block-VML-Zero_2D00_Day-Vuln-on-a-domain.aspx
http://tinyurl.com/mtcbd
<quote>
Update Sept. 21, 2006
Uploaded a new version of the archive that uses %CommonProgramFiles%
instead of %ProgramFiles%\Common Files to specify the file location.
This helps make it work on non-English systems that have translated the
name of the Common Files directory.
</quote>
Those interested should see his Friday's blog that not only discusses the
third-party patch route, but also outlines another approach to the current
(and the Direct Animation control's path) vulnerabiltiy
http://msinfluentials.com/blogs/jes...gainst-the-VML-vulnerability-on-a-domain.aspx
http://tinyurl.com/h3buq
Roger said:Enough of this Im.
It IS off-topic.
Besides, contrary to your claim Karl DID answer you.
In my initial post I also indicated this fact of life to you.
But, here goes again, one last time.
An impacted piece of code has a dependency tree, and test coverage
must be directed by that.
When a piece of code has few uses, and especially when those uses
are not complex relative to internationalization, regression testing is
a much smaller task.
When a code is a general library, the dependency tree itself can be
difficult to determine, and coverage testing larger and hence longer.
You have a comp sci background so I would assume you can see
those facts quite clearly (should you decide to).
But, this part I feel you have no real clue about, especially if the code
can impact visual renderings, then the internationalization becomes a
very real part of testing. Once a code change might start changing the
sizes of things it can start changing them differently in the 45 or so
supported locales, and there are a lot of interfaces that need to have
designed sufficiently for the possible size changes.
Please, take the conspiracy theorist motivated part of this discussion
to alt dot something.
This thread should be about the present risks, workarounds, and
degrees of exposure in the wild - that is, keep to YOUR subject.
Regards,
Roger
Leythos said:[snipped most, as I agree with Roger]Please, take the conspiracy theorist motivated part of this discussion
to alt dot something.
This thread should be about the present risks, workarounds, and
degrees of exposure in the wild - that is, keep to YOUR subject.
I don't think I've seen this stated better (all that you said, not just
want I kept) in thousands of posts I've read this weekend.
David said:From: "Roger Abell [MVP]" <[email protected]>
< snip >
| Please, take the conspiracy theorist motivated part of this discussion
| to alt dot something.
|
| This thread should be about the present risks, workarounds, and
| degrees of exposure in the wild - that is, keep to YOUR subject.
|
| Regards,
| Roger
|
I totally agree.
Leythos said:[snipped most, as I agree with Roger]Please, take the conspiracy theorist motivated part of this discussion
to alt dot something.
This thread should be about the present risks, workarounds, and
degrees of exposure in the wild - that is, keep to YOUR subject.
I don't think I've seen this stated better (all that you said, not just
want I kept) in thousands of posts I've read this weekend.
Sure. However, you can not deny that it would be nice to have a patch out in
days instead of months....we know they can do it, they have in the past...
Leythos said:Leythos said:[snipped most, as I agree with Roger]
Please, take the conspiracy theorist motivated part of this
discussion to alt dot something.
This thread should be about the present risks, workarounds, and
degrees of exposure in the wild - that is, keep to YOUR subject.
I don't think I've seen this stated better (all that you said, not just
want I kept) in thousands of posts I've read this weekend.
Sure. However, you can not deny that it would be nice to have a patch out
in days instead of months....we know they can do it, they have in the
past...
I think you misunderstand regression testing and proper QA methods. If I
want to patch a program that does not interact with any other programs,
then I only need to test the program. If I want to patch a interface,
something that interacts with many programs and services, it means that
I have to regression test all interconnected parts.
MS has no reason to lag in pushing out patches or fixes, they do it as
quickly as possible with the least risk they can manage to end-users.
Ian said:Think we'll only achieve secure computing when C is dropped in favour of a
better language. The list of buffer-overflow exploits in every single
major
software-package gets monotonous.
The idea that Microsoft is allowing it's users to be unsafe for so long is
inexcusable. Why is it that everyone else can release timely patches but
Microsoft can't. Damn, even open source has a much better time to patch
than Microsoft. The average time to patch for Linux is a couple of days.
And it is free...
imhotep said:The Simple question that has NOT been answered:
Now, you claimed to have answered the question but you did not.
imhotep said:I will pass this along to the helpdesk guys. Thanks.
Any ETA about the patch/fix from Microsoft?
Roger said:No, and I have not seen a reason to ask.
MS took the unusually step of detailing workarounds that
crippled functionality in their initial advirory. That was no
doubt in response to analysis showing code availability,
exploit character, and extent of testing that would be needed
(i.e. time to delivery). From that I fully trust resources were
marshalled in appropriate scale.
Typically the owning group of the involved code finishes its
work, which includes review for similar/related flaws, quite
quickly. For something like this, that could have impacts on
non-MS code, the test cycle is where the time gets consumed
(read: not all testing is in-house).
(You trapped me with that dumb follow-up once more !!)
That's a really stupid argument and shows a total lack of understanding of
computer security. Security is risk management. First you assess risks,
and then either you accept a risk, or you mitigate a risk. I assessed the
risk, and backed up my assessment by noting the two next largest IE vulns
to
hit the media. Asking me to put out a monetary guarantee before you'll
accept the validity of my argument, with past examples, is just dumb.
Suffice it to say that past IE vulns have always been widely overrated.
You're constantly coming here and saying that the sky is about to fall in,
and it never does. You're backing up your baseless panic with "what if"
and
"it could happen" statements. Security and risk assessment just don't
work that way, and for good reason.
I bet the organization where you work has accepted the risk of this
vulnerability, and is doing little to nothing, at least on the client
side,
to lessen the risk. That's a very common real world posture to these IE
vulns.
I already did.
Without propaganda? That's what I should be demanding of you. A good
example of propaganda is when you said that Microsoft bases its patching
policy on laziness, greed and/or incompetence.
Leythos said:Sure. However, you can not deny that it would be nice to have a patch out inLeythos said:[snipped most, as I agree with Roger]
Please, take the conspiracy theorist motivated part of this discussion
to alt dot something.
This thread should be about the present risks, workarounds, and
degrees of exposure in the wild - that is, keep to YOUR subject.
I don't think I've seen this stated better (all that you said, not just
want I kept) in thousands of posts I've read this weekend.
days instead of months....we know they can do it, they have in the past...
I think you misunderstand regression testing and proper QA methods. If I
want to patch a program that does not interact with any other programs,
then I only need to test the program. If I want to patch a interface,
something that interacts with many programs and services, it means that
I have to regression test all interconnected parts.
MS has no reason to lag in pushing out patches or fixes, they do it as
quickly as possible with the least risk they can manage to end-users.
Smitty said:I have to agree with Imhotep.
I have been thoroughly p****ed off this week as a result of a virus which
somehow evaded the countless security systems I have in place. In
retrospect, the 'vulnerability' is simply MS stupidity. Imagine allowing
WinLogon to to load arbitrary DLLs into its address space simply by adding
entries into the registry.
WinLogon is supposed to be my first line of defense against security issues.
What are they thinking ?
About money, obviously !
http://secunia.com/product/22/?task=advisories (XP Pro. -- critical extreme vulnerability)
http://secunia.com/product/16/?task=advisories (XP Home -- critical extreme vulnerability)
http://secunia.com/product/1/?task=advisories (2000 Professional -- critical extreme vulnerability)
http://secunia.com/product/13/?task=advisories (98 Second Edition -- only 3 less critical vulnerabilities)