'High Risk' Flaws found in IE and Outlook Express. OMFG!

Discussion in 'News and Article Comments' started by Waffle, Apr 3, 2005.

  1. Waffle

    Waffle Alpha Geek

    Likes Received:
    38
    Trophy Points:
    0
    ...A pair of newly discovered security flaws in Microsoft's Internet Explorer and Outlook programs could put millions of users at risk of code execution attacks, a private research outfit warned Thursday.

    Well that makes 100,00,02...

    "At this time, Microsoft is not aware of any malicious attacks attempting to exploit the reported vulnerabilities, and there is no customer impact based on this issue,"

    Microsoft have their heads up some unpleasant place.

    Read more of what you already know, here .
     
  2. ninja fetus

    ninja fetus I'm a thugged out gangsta

    Likes Received:
    65
    Trophy Points:
    48
    I'm getting so fed up with MS's shiz
     
  3. Nic

    Nic Sleepy Head

    Likes Received:
    17
    Trophy Points:
    38
    now theres a suprise, god job i got firfox
     
  4. Addis

    Addis The King

    Likes Received:
    91
    Trophy Points:
    48
    I use Thunderbird!
     
  5. Egaladeist

    Egaladeist I am the Eg Man

    Likes Received:
    11
    Trophy Points:
    18
    I use Firefox too...but to be the Devil's Advocate here...the only reason why Firefox is more secure than MS is because of it's market share...if Firefox ever was to grow beyond it's current status the amount of exploits would rise accordingly...so...if you want Firefox to remain relatively secure you should not promote it...as long as it doesn't grow it will remain not much more than an afterthought.
     
  6. Addis

    Addis The King

    Likes Received:
    91
    Trophy Points:
    48
    Thats true firefox is secure by obscurity, but there are far less bugs which can be exploited (not so much holes) in Firefox as in IE.
     
  7. Egaladeist

    Egaladeist I am the Eg Man

    Likes Received:
    11
    Trophy Points:
    18
    But I think the only reason there are less bugs to exploit is because there are fewer people trying to find ways to exploit it...if Firefox had a 40% market share, for example, and had the attention of the exploiters...then more bugs would be found...and exploitation of those bugs would rise accordingly.

    Right now Firefox is not a threat, so it is virtually ignored, even the bugs that are found are rarely exploited before they are fixed...if Firefox ever becomes popular and can rival IE in market share...everything we enjoy now with Firefox will be gone.
     
  8. Addis

    Addis The King

    Likes Received:
    91
    Trophy Points:
    48
    Its not possible to predict that so certainly. But I won't take it literally.
    Firefox however is open source, and I would imagine that being an advantage over IE. Since its source code is available for anyone, bugs and potential holes can be found. Don't forget aswell, Firefox does not have many developers, if market share rose to a substantial level, then its inevitable that more developrs and hackers would chip in to improve and monitor it. Its highly unlikely that Firefox would be as bad as IE, maybe more bugs would be found, but theres a good chance that they'll be fixed quickly as with IE.
     
  9. Egaladeist

    Egaladeist I am the Eg Man

    Likes Received:
    11
    Trophy Points:
    18
    You're right it would be impossible to predict because of the timeline...if Firefox were to become popular, let's say ten years from now, to rival IE in market share...the situation in ten years won't be the same as now...so we would be talking about a different situation.

    The only real advantage I see Firefox having over IE, if both shared a 50% market share, is that it hasn't developed/incurred the anomosity that IE has...therefore it would be less likely to be exploited and would receive more help merely because it is more liked and less hated. :D In this respect it would be more secure...but not because it's necessarily a more secure browser...because it really isn't.
     
  10. Anti-Trend

    Anti-Trend Nonconformist Geek Staff Member

    Likes Received:
    118
    Trophy Points:
    63
    Egaladeist, there is no security in obscurity. Case in point: Microsoft IIS webserver vs open source Apache web server. Apache is free, open-source software, and it has a larger market share than IIS. However, it has less exploits and is targeted less by worms and hackers than IIS. Why? The source code for Apache is available to everyone, so by your line of reason, it should be an easier nut to crack. Fact of the matter is, the motto of open source software is security through scrutiny, not obscurity. The idea is that the more trained eyes look the code over, the better the code gets and in turn, the more secure.
     
  11. Egaladeist

    Egaladeist I am the Eg Man

    Likes Received:
    11
    Trophy Points:
    18
    Actually, that was a term that Addis used not me. As for your comparison, you may be right or you may be wrong...I've read many threads on this topic, some by people who have been in internet security since there was internet security, and the debate over who has the more secure browser has always ended up to be subjective.
    However, one fact always prevails...that MS and their IE browser is the source of targeting because people don't like MS ...so...if that is the case, as I stated before, then it doesn't surprise me that IIS would be targeted more than Apache ( even with the larger market share ).
    Your example does not prove that Apache is more secure as much as it proves that people have a hurt-on for MS...which is the benefit that I assigned to Firefox.

    You see...my main point was not obscurity...because in my example I put Firefox on equal footing with IE. My main point has been that Firefox would be more secure even with a 50% share simply because it is not hated, therefore would be less targeted...not because it is in itself more secure.

    In terms of home security...there is a burglar watching two homes...with the same measure of security and the same potential winfall inside...in one home there lives a guy he despises...in the other home lives someone he likes or, at least, has no malice toward...which one do you think is going to get broken into?
     
  12. Anti-Trend

    Anti-Trend Nonconformist Geek Staff Member

    Likes Received:
    118
    Trophy Points:
    63
    No flames intended, but that's a big stretch of logic. In my opinion and experience, the largest motivator behind taking control of other people's systems, through whatever method, is primarily for greed. Other motivators like hate, ego, boredom, curiosity, etc. are also a factor, but not as much so. An army of "zombie" PCs are worth a lot of money on the black market. The same thing applies to spyware, it's all for money. There will always be people who do it 'cause they hate X or Y company, or to show how l337 they are. However, there are plenty of folks out there doing it as a profession. Those guys don't care about X or Y company, they just want the $$$, so the motivation is there to hack any systems with any configurations available. The easier the target, the better. This makes IIS a much more attractive target than Apache, despite the fact that Apache has a higher market share. One in the hand is worth two in the bush, or so they say.
     
  13. Egaladeist

    Egaladeist I am the Eg Man

    Likes Received:
    11
    Trophy Points:
    18
    Money is always a factor to take into consideration...and, as for Apache and IIS, I can't really say because it's not a topic that I've read or comes up often as the focus of a thread...but what I do know is that the jury is still out on which browser is, in itself, more secure...even experts in the field of security can't agree on this issue.

    Usually it comes down to the individual, their knowledge of security, their application of security, etc...that IE can be configured to be just as secure as Firefox and is more secure than Firefox on a corporate network level because it can be configured...
    the one advantage that Firefox has that stands out is it's relationship with it's consumers.
     
  14. Anti-Trend

    Anti-Trend Nonconformist Geek Staff Member

    Likes Received:
    118
    Trophy Points:
    63
    OK, now I'm lost. I am a professional IT guy, and I have no idea what you're talking about. Of course Firefox can be configured, at least in every improtant way I can think of. It can also be used in a professional, networked environment. As a matter of fact, I put policy in place that where I work Firefox (or a few other select Gecko-based browsers) is the only acceptible browser, for security reasons. I used to work IT/MIS for city government some time back, and we actually had to replace IE on a whole department's systems with Netscape (another Gecko-based browser), because IE wasn't secure enough to work with one of the state's websites, which they had to interact with. That city was very MS-centric, so to install Netscape on a whole dept. was a big deal for them. It actually conflicted with an existing IE-only policy, but the MIS director had to eat humble pie because the state wouldn't allow us to use use an IE browser for this purpose.

    Still, in my mind Mozilla is still the better browser for corperate use, even vs Firefox which is aimed more towards individuals. The config files are plain-text, so they can easily be rolled-out en masse by IT admins and then made read-only to prevent users from changing their settings. The same thing can be done for Firefox, but extensions are the thing that stick out in my mind. Mozilla is not as flexible as Firefox per se, so it's easier to regulate. Internet Explorer in combination with Outlook has always been the largest security problem on every single network I've ever administrated. Getting rid of those two is always the first thing I do, if possible, when taking responsibility for a network. And rightly so, as it always vastly increases the overall security of the network!

    Egaladeist, I have nothing against you. We could go back and forth on this point for eternity, but history is simply not on your side. In addition, it recently came out (by accident) that Stephen Toulouse, Microsoft's security program manager, doesn't even run IE - he runs Firefox. To prove that IE wasn't the only browser to have security issues, he offhandedly said:
    Microsoft's security program manager doesn't even use IE... whoops. He got in trouble for that one. Also, it's worth mentioning that the version of Firefox he was talking about was still in beta phase, so he was using it even before the 1.0 release. The early builds of Firefox weren't even that stable, yet Microsoft's security guy still preferred it over IE. Hmmm...
     
  15. syngod

    syngod Moderator

    Likes Received:
    15
    Trophy Points:
    18
    Open source works both ways. Sure you'll have a bunch of people able to look at the source code and find ways to fix flaws but anyone that wants to do anything malicious has the same ability.

    As far as security goes MS actually has two advantages here. First since IE is closed source, it makes it that much more difficult to find flaws in the software. Second Windows Update is a huge advantage for MS, if a security flaw is found in their software their easily able to get the majority of users patched up through automatic updates, Mozilla/Firefox users would actually have to pay attention to the browsers site for any security fixes.

    On the MS hatred thing though, yes MS is hated but you also have to remember the Mozilla foundation is a divison of AOL even if they don't heavilly promote it which I would say is an almost equally hated company.
     
  16. syngod

    syngod Moderator

    Likes Received:
    15
    Trophy Points:
    18
    Also nowhere in the article did I recall him saying he preferred Firefox, he stated he has to update it.

    As far as anyonw knows he has Firefox installed because it's a competing product and he's checking out the competition.

    Not trying to start a flame war here but there's way to many MS bashers and I like to see both sides of the story.

    BTW Egaladeist makes some good points, if Linux was to take over MS's share of the market I'm fairly sure you'd see just as many security flaws as MS is seeing. Right now it just isn't a major target, why take the time writing something for a program that has a 10% marketshare when you can attack the one that has 90%.
     
  17. Anti-Trend

    Anti-Trend Nonconformist Geek Staff Member

    Likes Received:
    118
    Trophy Points:
    63
    Syngod, you're absolutely right. But the history of popular open-source software has been very positive in regards to security. In my mind, peer review has a lot to do with it. There are whole organizations just dedicated to finding vulnerabilities in open source software. The closed-source nature of proprietary software doesn't accomodate this model. They simply hope that nobody will notice security problems before they can fix it... if they choose to fix it at all.
     
  18. Anti-Trend

    Anti-Trend Nonconformist Geek Staff Member

    Likes Received:
    118
    Trophy Points:
    63
    I hear this a lot, but Linux has a huge market share in the server niche, and yet it has nowhere near the vulnerabilities of Windows. Why is this? You seem to point to market share as the only consideration in the security game, but don't you think design has anything to do with it? Linux/Unix has better security by design, because it was intended for multiple users and networking from the beginning. Windows was not. Microsoft came into the game very late, because they thought the internet was a fad and a geek niche. *nix on the other hand has been a modular, multi-tasking, multi-user networking OS since the 70's. It's not perfect by anybody's standards, and there are still some stupid issues with Linux that carried over from Unix in order to provide POSIX compliance. But flaws considered, *nix is a much better design than Windows, from the ground up. This could easily turn into a religious debate of biblical proportions, so let me explain that most of the reason I'm so impressed with *nix is because of my experience as a Windows admin, not in spite of it. It's so much more easy to lock-down than Windows, there isn't any real comparison between the two. Microsoft has never shown much concern over security, and they've ignored the warnings and chastisings of security experts for years.

    This from the article:
    Here's a link to the Secunia security report if you want to see it. It's mentioned in the article, but never linked to.
     
    Fred likes this.
  19. Egaladeist

    Egaladeist I am the Eg Man

    Likes Received:
    11
    Trophy Points:
    18
    Haven't had time to get back to this but I will...

    That's good! We need more discussions and debates! :D

    and....I did read that Report too.
     

Share This Page