Home > IT, Security > IE 7 Final…. Vuln #1 — Microsoft says not an IE Vuln

IE 7 Final…. Vuln #1 — Microsoft says not an IE Vuln

October 20th, 2006 Leave a comment Go to comments

So apparently this IE vuln isn't an IE vuln... It's an Outlook Express vuln... That's what they're saying at MSRC & The IE Blog. That's cool... It's an OE vuln...

So all Microsoft is saying is that they've known about this vuln since (at the latest) April '06 and it's still not patched... I don't think the actual vulnerable component is really what matters... The attack vectors are the important part... and IE is an attack vector for this...

It makes me think of MS03-007, a buffer overflow in ntdll.dll.  If you read the advisory, the mitigation techniques don't point to anything directly related to ntdll.dll... Instead they point to WebDAV... How to disable WebDAV in the registry, how to use URLScan and IISLockdown to filter WebDAV, Methods that you could block to prevent this... Why? WebDAV was an example of something that made a call to the function/procedure containing the buffer overflow in ntdll.dll. WebDAV was an attack vector... Plenty of places called it a WebDAV vuln...

While those people were technically incorrect and Microsoft, here, is technically correct... we're arguing over semantics... The vulnerability exists.... it can be accessed through your browser... If the browser is the vulnerable component or not is irrelevant.

It's like Apple saying "It's not our fault you were infected, Microsoft allowed this to happen by not building a secure product"... The IE Team is saying "Don't blame us... you can only access it through us... blame the Outlook Express team... it's their vuln"...

To me we're not addressing the vuln.... (however minimal it may be)... we're playing the blame game... IE... OE... they're just components of Windows (let's not argue the semantics of that statement).... how about we just call it a Windows vuln... and how about instead of Microsoft teams trying to lay blame on other parts of the company... they work together to fix it...

I would have been really impressed if IE7 wasn't vulnerable when it was released (or wasn't an attack vector)... If the IE Team made a blog posting saying... "This vuln exists in OE... IE was previously an attack vector, however we've made changes to remove this vector of attack.... While we're sure that the OE team is working on fixing this problem... we wanted to do our best to mitigate the problem"... I would have had some respect if they'd done that.

Peace,
HT

Categories: IT, Security Tags:

This website uses IntenseDebate comments, but they are not currently loaded because either your browser doesn't support JavaScript, or they didn't load fast enough.

  1. No comments yet.
  1. No trackbacks yet.