Who should read this document: Customers who are using Microsoft® Internet Explorer
Impact of vulnerability: Remote Code Execution
Security Update Replacement: This update replaces the one that is provided in Microsoft Security Bulletin MS03-048, which is itself a cumulative update
Affected Software:
Microsoft Windows NT® Workstation 4.0 Service Pack 6a
Microsoft Windows NT Server 4.0 Service Pack 6a
Microsoft Windows NT Server 4.0 Terminal Server Edition, Service Pack 6
Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4
Microsoft Windows XP, Microsoft Windows XP Service Pack 1
Microsoft Windows XP 64-Bit Edition, Microsoft Windows XP 64-Bit Edition Service Pack 1
Microsoft Windows XP 64-Bit Edition Version 2003
Microsoft Windows Server® 2003
Microsoft Windows Server 2003, 64-Bit Edition
Download: Cumulative Security Update for Internet Explorer (832894)
View: More Information
News source: Microsoft TechNet via Bink
Impact of vulnerability: Remote Code Execution
Security Update Replacement: This update replaces the one that is provided in Microsoft Security Bulletin MS03-048, which is itself a cumulative update
Affected Software:
Microsoft Windows NT® Workstation 4.0 Service Pack 6a
Microsoft Windows NT Server 4.0 Service Pack 6a
Microsoft Windows NT Server 4.0 Terminal Server Edition, Service Pack 6
Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4
Microsoft Windows XP, Microsoft Windows XP Service Pack 1
Microsoft Windows XP 64-Bit Edition, Microsoft Windows XP 64-Bit Edition Service Pack 1
Microsoft Windows XP 64-Bit Edition Version 2003
Microsoft Windows Server® 2003
Microsoft Windows Server 2003, 64-Bit Edition
Download: Cumulative Security Update for Internet Explorer (832894) View: More Information News source: Microsoft TechNet via Bink
Dave arrived and set his laptop up, an IBM ThinkPad A31. He didn't connect to the Internet - too dangerous, and against regulations, if I recall - but instead ran his presentation software using movies and videos where others would have actually gone online to demonstrate their points. While he was getting everything ready, I took a look at the first FBI agent I could remember meeting in person.
Dave had some surprises up his sleeve as well. You'll remember that I said he was using a ThinkPad (running Windows!). I asked him about that, and he told us that many of the computer security folks back at FBI HQ use Macs running OS X, since those machines can do just about anything: run software for Mac, Unix, or Windows, using either a GUI or the command line. And they're secure out of the box. In the field, however, they don't have as much money to spend, so they have to stretch their dollars by buying WinTel-based hardware. Are you listening, Apple? The FBI wants to buy your stuff. Talk to them!
Dave also had a great quotation for us: "If you're a bad guy and you want to frustrate law enforcement, use a Mac." Basically, police and government agencies know what to do with seized Windows machines. They can recover whatever information they want, with tools that they've used countless times. The same holds true, but to a lesser degree, for Unix-based machines. But Macs evidently stymie most law enforcement personnel. They just don't know how to recover data on them. So what do they do? By and large, law enforcement personnel in American end up sending impounded Macs needing data recovery to the acknowledged North American Mac experts: the Royal Canadian Mounted Police. Evidently the Mounties have built up a knowledge and technique for Mac forensics that is second to none.
(I hope I'm not helping increase the number of sales Apple has to drug traffickers.)
amazing.....
/me moves on...
like anyone cares.
http://www.microsoft.com/technet/treeview/...end=&submit1=go
That's right ... move on.
same goes for post #2
But all of IE's vulnerabilities are stuff like: you click a link in IE, and it spoofs IE's address bar. Or you go to www.badsite.com using IE, and it uses a cross-site scripting vulnerability to execute JavaScript in the context of another, trusted site in IE. If you don't go to www.badsite.com using IE, how can www.badsite.com do stuff to your computer?
And what are you talking about, GameGuy? Firebird and Mozilla has releases every other month or so (only development builds are updated nightly, much like how-- not trolling--Microsoft builds Longhorn every day for testing out new code), Opera also has releases, so what browser has nightly updates?
And SomeDork, why are you so sensitive about IE's security holes? How do you know Mystr- uses Firebird? He could be using Opera, which is still more secure than Internet Explorer.
Let's face it-- IE wasn't written with too much concern with security, like in this case, when IE's developers didn't think that a malicious person could put a null character in the address bar while Mozilla/Firebird/Opera developers did (except for a small exception in which the address bar is spoofed in Mozilla but still not in the *address bar* which most people look at to see if they're at ebay.com.)
And software can still be designed and be secure even when a majority of the market uses it-- even though it's a different product, Apache still illustrates that a dominant product can be secure enough without earth-shattering vulnerabilities.
Last edited by 20554 on 03 Feb 2004 - 03:55
And I never said anyone used Firebird unless I was either being hypothetical or responding to someone specifically about Firebird. I'm willing to compare point for point on the security and bugginess of any browser vs IE, but the only counterpoint ever provided is "omg x/y/z browser has more features therefore IE suxors."
Right.
The first thing that must be realized is that Microsoft and the Open Source community have completely different approaches.
Microsoft tends to bunch up their updates/patches/whatever-you-wanna-call-them into periodic updates with more time between them.
Open Source uses an extremely frequent update process. Daily is not unheard of, especially in popular, active applications.
Neither approach lends itself more or less to security in any grand way. Comparing release schedules is meaningless. One thing I was sure was going to happen when Microsoft announced a monthly update schedule was Microsoft (or others) would start saying "Look! We only had 6 updates last year". While it is certainly a fact, it does little to show which product is superior.
Open Source updates may be more frequent, which is nice for new features, and for bug fixes. But changes to code (in OSS and in MS) can bring about new bugs that weren't anticipated.
So, please bash each other about the head and neck with features and problems, not with the number of updates.
I thought they had these huge things called "Service Packs", and they contained many different fixes and improvements.
Microsoft just doesn't release fixes for the little things one at a time, and let the user pick what to install and what is not needed/desired.
It was Service Pack, or no Service Pack.
Service packs are a totally different concept than hotfix/bugfix/security patch. I'm only referring to the latter. This actually benefits the argument because I'm not even remotely implying "oh look, IE only has one patch: SP1!" Or only one "patch", etc.
Buttah.... when's SP2 actually scheduled. I wanna do a reinstall of my system - first Win XP than SP2 - and afterwards all my proggies.
Since I don't think it's a good idea, stability-wise speaking, of reinstalling Windows and all my apps and THAN SP2
As for rebooting, you should do that anyway.
thank god for firebird
Yes, we're tired of the bull "salesmanship" ... if you want to prove a point I'm sure that we'll listen but there's not a point to prove, imho.
I'll just turn your statement around: "Firebird is full of bugs, instabilities, and security flaws, and isn't even a full 1.0 product yet. They might as well never finish the product." Touche?
Explicative, you're utilizing a very very lazy argument. When one party is complaining about quality, you can't immediately take the side of "well, we don't need to adhere to the same standards we're debasing in your product." It doesn't go both ways.
And it disables support for http://user@domain as mentioned on Neowin a few days ago.
Mirror Official Homepage
Only 3 months later!
http://secunia.com/Internet_Explorer_File_Download_Extension_Spoofing_Test/
Thats not fixed though, thought it was to be ??
------------
As for this one I get a blank page now or a Invalid syntax error, this is how its meant to be no?
http://www.secunia.com/internet_explorer_address_bar_spoofing_test/
Hopefully some random open source website won't try to fix it
LMAO!
But, just for the record, the place that did a miserable job was "Open Wares" or 'Warez'... they are not an Open Source group, just a bunch of h4x0rz that thought they would be cool.
Still, a funny quote!
And MS didn't start the process of bunching up updates until the last few months (about 3). Until then, the most you could've said was "they just didn't release them".
Even with bundling, I'm willing to compare based upon listed vulnerabilities, not even released patches (bundled or not, this would be an equitable comparison). Yet noone is willing to step up to the plate.
/me *hugs* Internet Explorer and *kicks* Firebird fanatics away.
(yes i have SP1 installed)
you enjoy being an ass, dont ya
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.