Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

 All Forums
 Site Related Forums
 The Yak Corral
 MS IE "Google" vulnerabilty

Author  Topic 

Kristen
Test

22859 Posts

Posted - 2010-01-22 : 03:05:28
Is it just me? or is the scope of this fix (in particular the "Vulnerability Information" section), covering so many generations of IE, just staggering after so much time, so many "We've really really changed" speeches, and so much time & money spent reviewing and, supposedly, fixing potential security breech holes?

http://www.microsoft.com/technet/security/bulletin/MS10-002.mspx

Keep in mind that I'm a self confessed MS fanboy ...

elwoos
Master Smack Fu Yak Hacker

2052 Posts

Posted - 2010-01-22 : 05:56:08
I found that completely underwhelming too especially as they have known about this for a good few months and weren't intending to do anything until February despite recognising the severity of the issue if [url]http://www.wired.com/threatlevel/2010/01/microsoft-zero-day-flaw/[/url] is to be believed.

Is it just me or dies it seem like there is more to this than meets the eye?

steve

-----------

Deja Moo - The feeling you've heard the same bull before.
Go to Top of Page

Transact Charlie
Master Smack Fu Yak Hacker

3451 Posts

Posted - 2010-01-22 : 06:22:37
Well it would probably have been shorter to specify which environments were not effected. When that happens then it's a bad one.


Charlie
===============================================================
Msg 3903, Level 16, State 1, Line 1736
The ROLLBACK TRANSACTION request has no corresponding BEGIN TRANSACTION
Go to Top of Page

Kristen
Test

22859 Posts

Posted - 2010-01-22 : 06:25:55
"they have known about this for a good few months "

You are being too kind sir. I don't know if the Media Player error is in the same bracket, but that was 12 months ago I think. The rest are 3-6 which is definitely "a good few months" for something so pervasive.

Haven't read your link, yet, but my 2p worth is that TippingPoint / ZeroDayInitiative (I forget which of the two is the one that pays out ) "bought" this issue (i.e. by reward to finder - a service done to promote reporting of such issues without malicious intent, nor announcement in public domain) and thus has documented when they informed the Vendor.

Hang on, I'll find a link:

http://www.zerodayinitiative.com/advisories/published/

"Is it just me or dies it seem like there is more to this than meets the eye?"

I think so, rumblings that it was an insider at Google that used the loophole to gain access to mail etc. But if it is a foreign power cyber attack thingie they've used up a very effective "life" and will now have to find another one to continue the game. Maybe they have loads more where that came from though

"We're doomed ..."
Go to Top of Page

Kristen
Test

22859 Posts

Posted - 2010-01-22 : 06:27:09
P.S. 11 of their advisories were made public yesterday, I presume they keep them secret until the vendor announces a fix. Bit of a Red Letter Day I think ...
Go to Top of Page

Transact Charlie
Master Smack Fu Yak Hacker

3451 Posts

Posted - 2010-01-22 : 06:34:05
quote:

Disclosure Timeline

2009-08-14 - Vulnerability reported to vendor
2010-01-21 - Coordinated public release of advisory


Ouch.


Charlie
===============================================================
Msg 3903, Level 16, State 1, Line 1736
The ROLLBACK TRANSACTION request has no corresponding BEGIN TRANSACTION
Go to Top of Page

Kristen
Test

22859 Posts

Posted - 2010-01-22 : 06:45:12
Interesting that the French government is on the list of people thanked on the MS Bulletin (as per my initial link).

The French government have recommended that people switch away from using IE. I thought that was a bit of an extreme reaction, personally, but if they reported a major security flaw and it took 4 months to fix then maybe I should take note too ...
Go to Top of Page

robvolk
Most Valuable Yak

15732 Posts

Posted - 2010-01-22 : 07:02:26
There's always Chrome, Firefox, Safari, Opera, etc. etc. And they're all cross-platform too.
Go to Top of Page

Kristen
Test

22859 Posts

Posted - 2010-01-22 : 08:16:42
Just realised I put this in the wrong forum, sorry. Meant to put it in Yak Coral - if a MOD could move it please? Thanks

http://www.telegraph.co.uk/technology/microsoft/7052032/Microsoft-releases-emergency-Internet-Explorer-patch.html

The telegraph quotes Microsoft as saying "The team at Microsoft has done an excellent job of responding quickly, ..."

Hmmmm ....

Go to Top of Page

Kristen
Test

22859 Posts

Posted - 2010-01-25 : 14:31:21
Possibly "Oh dear!"

http://www.telegraph.co.uk/technology/microsoft/7073888/Internet-Explorer-hit-with-new-set-of-security-flaws.html
Go to Top of Page

elwoos
Master Smack Fu Yak Hacker

2052 Posts

Posted - 2010-01-26 : 04:44:32
quote:
The team at Microsoft has done an excellent job of responding quickly


Perhaps that is in comparison to Adobe

-----------

Deja Moo - The feeling you've heard the same bull before.
Go to Top of Page

X002548
Not Just a Number

15586 Posts

Posted - 2010-01-27 : 20:07:39
"I only want the best for the mission and the team....Dave, what are you doing?"

"Dave?"



Brett

8-)

Hint: Want your questions answered fast? Follow the direction in this link
http://weblogs.sqlteam.com/brettk/archive/2005/05/25/5276.aspx

Add yourself!
http://www.frappr.com/sqlteam



Go to Top of Page

Kristen
Test

22859 Posts

Posted - 2010-01-28 : 03:08:02
Over here Dave also gives us "Dave ja vu"

http://en.wikipedia.org/wiki/Dave_%28TV_channel%29
Go to Top of Page

elwoos
Master Smack Fu Yak Hacker

2052 Posts

Posted - 2010-01-29 : 10:09:12
And there was me thinking you meant Dave Lister [url]http://en.wikipedia.org/wiki/Dave_Lister[/url]

-----------

Deja Moo - The feeling you've heard the same bull before.
Go to Top of Page
   

- Advertisement -