I never use IE unless it's absolutely necessary. But I regularly do
/all/ the security updates.
in case there are people who still think I was being unfair to Microsoft
see
http://lists.netsys.com/pipermail/full-disclosure/2004-June/022556.html
This was written by Nick Fitzgerald a very well respected anti-virus
professional and researcher (ex editor of the "Virus Bulletin"). He said
it a lot better than I did. Food for thought.
in part
"This is entirely consistent with a long line of shoddy "fixes" from
Microsoft (and, to be fair, many other vendors). Instead of seeing the
"%20 bug" reported by Slemko above for what it turns out it was -- a
clear indication something was horribly broken in multiple parts of the
codebase where (HTML) URL parsing occurs, it is now quite clear that it
was seen as a "there is a problem if '%20' is present in URLs" problem.
When "fixing" the %00/binary null issue recently, was _that_ seen for
what it really was -- a clear indication there was something horribly
broken in multiple parts of the codebase where (HTML) URL parsing
occurs?
Nope.
Despite all that extra security training the code monkeys in Redmond
(or perhaps Bangalore?) had as a result of Billy Boy's much publicized
Security Initiative, the same old blinkers as to locating the source of
the _reported problem_ were apparently still firmly in place. Rather
than opening an exhaustive analysis to uncover the underlying problem
that could have resulted in them properly fixing the (apparently still
undiscovered) base cause of the horribly broken (HTML) URL parsing
code, it seems "fixing the reported %00 problem" was the objective.
Lest anyone think this is an unusual, or possibly unique case with MS
products, I'll simply point out that we have seen multiple similar
instances with macro security issues in Word and the other Office
products where a bug is reported in one or other of the products in the
suite, fixed and subsequently the same bug is found in yet other Office
products. We also saw very similar failures of vulnerability analysis
in cases such as the Incorrect MIME Type and Incorrect Object Data Type
vulnerabilities.
The repetitive nature of some of the patterns of vulnerabilities we see
in its products suggests that the hugely labyrinthine codebase and the
distributed and always-changing make-up of the teams responsible for
specific components and products, means that the same functionality is
implemented over and over by groups who do not talk with each other.
Given the monstrous size of the whole codebase, its continual, rapid
growth and the market-grabbing strategy of stuffing more and more of
what is traditionally considered "application layer" functionality into
the OS ("the DoJ defence" in the IE/Netscape case and potentially to be
used in future against media player makers, software firewall makers,
perhaps AV developers, and no doubt all manner of others) we will see
many, many more instances of these repeated patterns of vulnerability
exposure because the scale of the problem is far beyond what the human
capital at MS can cope with and the problem is computationally
intractible (ala Turing) so cannot be fixed by throwing more technology
at it. As it is incredibly unlikely the whole morass of Windows code
will be ditched and re-written intelligently from scratch, I am quite
confident in this prediction."
Regards
Gordon
