Laz
1
From newsfactor.com:-
___________________________
A security hole in Microsoft's Internet Explorer allows hackers to erase or take control of a computer's hard drive through a Web site and possibly through e-mail, according to a warning posted to security mailing list Bugtraq, which is published by Symantec. The exploit affects Windows users running IE versions 5.5 or 6.0, and possibly those who read e-mail with Outlook or Outlook Express.
The vulnerability, just the latest in a string of security holes in the IE browser, also has fanned the flames of disagreement among security experts because the Bugtraq warning included working code that exploits the flaw.
Timing at Issue
While some maintain that the warning should not have included working code, others say Microsoft may have known about the flaw for weeks before it became public. The Bugtraq alert was issued this week, but VNUNet, a UK security publication, made note of the flaw as early as November 8th.
Microsoft representatives were not available for comment.
James Madison University researcher Gary Flynn, who posted the warning about the flaw, said a user can activate the malicious code merely by clicking a link to a boobytrapped Web page. He said there is no known patch for the vulnerability and that antivirus and personal firewall software will not prevent the exploit. "It is hoped that Microsoft will provide a patch to fix this defect in the near future," he added.
Defending Release
Genevieve Haldeman, Symantec's director of corporate public relations, told NewsFactor that the code was "appropriate content" for the Bugtraq list because of the list's full-disclosure approach to security.
"Full disclosure is a philosophy that a truly secure system must be able to withstand open reviews at all levels and that the details of security vulnerabilities should be open to everyone," Haldeman said. "This particular exploit has the potential to cause tremendous damage to systems, and security experts need to be aware that this vulnerability is being exploited in the wild to cause damage."
All of the information in the posting was available elsewhere, she added.
Nothing New
In recent months, Microsoft has come under fire for the relative security of its software and has already issued some 50 patches and alerts, many specifically related to Internet Explorer.
The latest IE-related security warning posted on the Microsoft Web site was an August 22nd bulletin recommending that a cumulative patch be downloaded to fix seven known vulnerabilities. That bulletin made no mention of the new flaw, though Microsoft did release an earlier patch in May 2002 for a different flaw that also exposed IE users to remote takeovers of their computers.
Giga Information Group research director Michael Rasmussen said Microsoft's pledge to invest millions in security upgrades is a sign that the company knows it has neglected the issue for too long.
"Microsoft is doing a much better job than they used to," Rasmussen told NewsFactor. "But will they detect everything? No, they won't. There's no magic wand."
___________________________
U just gotta laugh though, this is such an ongoing farce!
M$ should have very red faces right now especially with the leaked news about the revenue spinner Win XP 2nd edition despite them denying such!
ROTFLMAO
___________________________
A security hole in Microsoft's Internet Explorer allows hackers to erase or take control of a computer's hard drive through a Web site and possibly through e-mail, according to a warning posted to security mailing list Bugtraq, which is published by Symantec. The exploit affects Windows users running IE versions 5.5 or 6.0, and possibly those who read e-mail with Outlook or Outlook Express.
The vulnerability, just the latest in a string of security holes in the IE browser, also has fanned the flames of disagreement among security experts because the Bugtraq warning included working code that exploits the flaw.
Timing at Issue
While some maintain that the warning should not have included working code, others say Microsoft may have known about the flaw for weeks before it became public. The Bugtraq alert was issued this week, but VNUNet, a UK security publication, made note of the flaw as early as November 8th.
Microsoft representatives were not available for comment.
James Madison University researcher Gary Flynn, who posted the warning about the flaw, said a user can activate the malicious code merely by clicking a link to a boobytrapped Web page. He said there is no known patch for the vulnerability and that antivirus and personal firewall software will not prevent the exploit. "It is hoped that Microsoft will provide a patch to fix this defect in the near future," he added.
Defending Release
Genevieve Haldeman, Symantec's director of corporate public relations, told NewsFactor that the code was "appropriate content" for the Bugtraq list because of the list's full-disclosure approach to security.
"Full disclosure is a philosophy that a truly secure system must be able to withstand open reviews at all levels and that the details of security vulnerabilities should be open to everyone," Haldeman said. "This particular exploit has the potential to cause tremendous damage to systems, and security experts need to be aware that this vulnerability is being exploited in the wild to cause damage."
All of the information in the posting was available elsewhere, she added.
Nothing New
In recent months, Microsoft has come under fire for the relative security of its software and has already issued some 50 patches and alerts, many specifically related to Internet Explorer.
The latest IE-related security warning posted on the Microsoft Web site was an August 22nd bulletin recommending that a cumulative patch be downloaded to fix seven known vulnerabilities. That bulletin made no mention of the new flaw, though Microsoft did release an earlier patch in May 2002 for a different flaw that also exposed IE users to remote takeovers of their computers.
Giga Information Group research director Michael Rasmussen said Microsoft's pledge to invest millions in security upgrades is a sign that the company knows it has neglected the issue for too long.
"Microsoft is doing a much better job than they used to," Rasmussen told NewsFactor. "But will they detect everything? No, they won't. There's no magic wand."
___________________________
U just gotta laugh though, this is such an ongoing farce!
M$ should have very red faces right now especially with the leaked news about the revenue spinner Win XP 2nd edition despite them denying such!
ROTFLMAO