Download.ject - commentary - LONG

[serverguy]

Ok, I am still a bit confused, maybe someone can enlighten me.

First, some background info:
http://www.internetnews.com/security/article.php/3374251

There's more. This vulnerability is still unpatched per the following
resources:
http://www.kb.cert.org/vuls/id/713878
http://xforce.iss.net/xforce/xfdb/16361

Today I read what appears to be a misguided article regarding the KB870669
patch recently released by Microsoft. Here is the article:
http://news.com.com/2010-1009-5256301.html?tag=nefd.acpro
(this guy is an Executive Editor???) I will try to explain below why I
think it is misguided.

My personal belief is that this is NOT in fact a "patch" or "fix" for the
vulnerability in question, but instead is just a partial workaround. Here
is Microsoft's page related to the issue:
http://www.microsoft.com/security/incident/Download_Ject.mspx

Note that for both home users and corporate workstations, they recommend
making manual adjustments to settings to "increase browsing safety" and
"increase security of the local machine zone in Internet Explorer" in
ADDITION to applying the 870669 patch. This suggests to me that the little
reg hack which the patch applies does little to address the vulnerability,
and it is really up to end-users and admins to protect their systems with
the manual steps listed here:
http://www.microsoft.com/security/incident/settings.mspx
and here:
http://support.microsoft.com/?kbid=871277

Granted these are known security best practices related to Internet
Explorer; however, I find it odd that MS is not simply releasing a fixall
patch for this issue - especially since it claims that it HAS FIXED this
issue with Windows XP SP2.

Also, I find it silly that technical writers are not more careful in their
research and understanding of these security issues. Mr. Berlind, in the
news.com article above, is making it sound as if 870669 is a patch and all
you need to do is go get it. He complains that he could not get it fast
enough, but he makes no effort to examine the patch itself to see if it
truly addresses the problem. He just assumes Microsoft will take care of
him, eventually.

I am not so convinced. Now, we are all being warned that IE simply cannot
be trusted anymore:
http://www.internetnews.com/security/article.php/3374931

So, in keeping an open mind, and seeing the pendulum now swinging back in
the other direction, away from Internet Explorer as the dominant browser, we
must all begin looking at the alternatives. As a network admin with
responsibilities including the security of over 1000 Windows computers and
several hundred servers, I am facing the daunting task of deciding to deploy
"workarounds," reg hacks, policies, and untold future "patches" to my users
in order to keep them safe while using IE and pray that it is enough and
that our virus protection and firewall will take care of the rest, or deploy
a new default browser to users and hope that it will be safe enough.

I am looking at Mozilla Firefox, but I have not found quality test results
related to security. Sure, many people have said it is more secure than IE,
but you would need to prove it to me. Same goes for any other browser out
there. Can anyone point me to a resource which delves into the security of
alternative browsers? I am extremely hesitant about Mozilla due to the open
source and various "usability" bugs that I have already found. If the code
is wide open, what is stopping it from being vulnerable to hackers? As for
Opera, not sure I could convince management to buy it when there are free
alternatives. Then there's the problem of all the various corporate web
apps in use that only support IE, making it the lame duck browser, if you
will. So I need lots of ammo to shoot that duck out of the sky.

The new browser war is here, commence firing!!

 

[Torgeir Bakken \(MVP\)]

(snip)
My personal belief is that this is NOT in fact a "patch" or "fix" for the
vulnerability in question, but instead is just a partial workaround. Here
is Microsoft's page related to the issue:
http://www.microsoft.com/security/incident/Download_Ject.mspx

Note that for both home users and corporate workstations, they recommend
making manual adjustments to settings to "increase browsing safety" and
"increase security of the local machine zone in Internet Explorer" in
ADDITION to applying the 870669 patch. This suggests to me that the little
reg hack which the patch applies does little to address the vulnerability,
and it is really up to end-users and admins to protect their systems with
the manual steps listed here:
http://www.microsoft.com/security/incident/settings.mspx
and here:
http://support.microsoft.com/?kbid=871277

Granted these are known security best practices related to Internet
Explorer; however, I find it odd that MS is not simply releasing a fixall
patch for this issue - especially since it claims that it HAS FIXED this
issue with Windows XP SP2.
(snip)

Hi

Note the following from a recent Microsoft press release:

Microsoft Statement Regarding Configuration Change to Windows in
Response to Download.Ject Security Issue
http://www.microsoft.com/presspass/press/2004/jul04/07-02configchange.asp

<quote>
In addition to this configuration change, which will protect customers
against the immediate reported threats, Microsoft is working to provide
a series of security updates to Internet Explorer in coming weeks that
will provide additional protections for our customers.

Later this summer, Microsoft will release Windows XP Service Pack 2,
which includes the most up-to-date network, Web browsing and e-mail
features designed to help protect against malicious attacks and reduce
unwanted content and downloads. A comprehensive update for all
supported versions of Internet Explorer will be released once it has
been thoroughly tested and found to be effective across a wide variety
of supported versions and configurations of Internet Explorer.
</quote>

 

[BeamGuy]

Ok, I am still a bit confused, maybe someone can enlighten me.

First, some background info:
http://www.internetnews.com/security/article.php/3374251

There's more. This vulnerability is still unpatched per the following
resources:
http://www.kb.cert.org/vuls/id/713878
http://xforce.iss.net/xforce/xfdb/16361

Today I read what appears to be a misguided article regarding the KB870669
patch recently released by Microsoft. Here is the article:
http://news.com.com/2010-1009-5256301.html?tag=nefd.acpro
(this guy is an Executive Editor???) I will try to explain below why I
think it is misguided.

My personal belief is that this is NOT in fact a "patch" or "fix" for the
vulnerability in question, but instead is just a partial workaround. Here
is Microsoft's page related to the issue:
http://www.microsoft.com/security/incident/Download_Ject.mspx

Note that for both home users and corporate workstations, they recommend
making manual adjustments to settings to "increase browsing safety" and
"increase security of the local machine zone in Internet Explorer" in
ADDITION to applying the 870669 patch. This suggests to me that the little
reg hack which the patch applies does little to address the vulnerability,
and it is really up to end-users and admins to protect their systems with
the manual steps listed here:
http://www.microsoft.com/security/incident/settings.mspx
and here:
http://support.microsoft.com/?kbid=871277

Granted these are known security best practices related to Internet
Explorer; however, I find it odd that MS is not simply releasing a fixall
patch for this issue - especially since it claims that it HAS FIXED this
issue with Windows XP SP2.

Also, I find it silly that technical writers are not more careful in their
research and understanding of these security issues. Mr. Berlind, in the
news.com article above, is making it sound as if 870669 is a patch and all
you need to do is go get it. He complains that he could not get it fast
enough, but he makes no effort to examine the patch itself to see if it
truly addresses the problem. He just assumes Microsoft will take care of
him, eventually.

I am not so convinced. Now, we are all being warned that IE simply cannot
be trusted anymore:
http://www.internetnews.com/security/article.php/3374931

So, in keeping an open mind, and seeing the pendulum now swinging back in
the other direction, away from Internet Explorer as the dominant browser, we
must all begin looking at the alternatives. As a network admin with
responsibilities including the security of over 1000 Windows computers and
several hundred servers, I am facing the daunting task of deciding to deploy
"workarounds," reg hacks, policies, and untold future "patches" to my users
in order to keep them safe while using IE and pray that it is enough and
that our virus protection and firewall will take care of the rest, or deploy
a new default browser to users and hope that it will be safe enough.

I am looking at Mozilla Firefox, but I have not found quality test results
related to security. Sure, many people have said it is more secure than IE,
but you would need to prove it to me. Same goes for any other browser out
there. Can anyone point me to a resource which delves into the security of
alternative browsers? I am extremely hesitant about Mozilla due to the open
source and various "usability" bugs that I have already found. If the code
is wide open, what is stopping it from being vulnerable to hackers? As for
Opera, not sure I could convince management to buy it when there are free
alternatives. Then there's the problem of all the various corporate web
apps in use that only support IE, making it the lame duck browser, if you
will. So I need lots of ammo to shoot that duck out of the sky.

The new browser war is here, commence firing!!

-------------------------------------------

Let me see if I can create a story here that makes sense. I'm sure the experts
will correct everything I say that is wrong - which is likely most of what I say.

1) The people who write viruses and break into your computer to steal credit
information or turn them into spambots do not find the holes in IE, windows,
linux or any other OS themselves. They for the most part find them published
on the web in places like this:
http://www.securityfocus.com/bid/10514/exploit/

2) These exploits are found by hackers and published on the web out of a
sense of public service - the theory is that if exploits are found and plugged then
some organization that has the resources to find them and exploit them
themselves, like for instance the secret service arm of a hostile foreign
government, will not find them and exploit them without detection. It is these
guys that exploit it without detection that are the scariest. The latest exploit was
discovered 10 months ago, and might have been patched last week - but
reports abound that it is still not patched.

3) The way the game is supposed to be played is that once the exploits are
discovered the software manufacturer is supposed to plug the holes before the
person who really wants to exploit the bug has a chance to figure out how
to use the exploit to write their virus, spambot, or keylogger.

4) What we all are peeved about is that the folks writing IE don't appear to
be playing the game by these rules - instead they refuse to plug the wholes and
tell us that anyone with a comprimized browser got it on their own from visiting
a site they should not have.

5) Now it turns out that even the sites of the Fortune 500 companies are some
of those sites that you should not visit with IE.

--------

It could be that mozilla has more security holes than IE, that is not important.
What is important is that we all feel they will play the game by these rules and
patch the holes when they are found and documented, before they can be
exploited. What we are betting on is the character of an orginization, and we
all expect that the open source generation might respond to change a little more
nimbly than what has already been. It is, however, impossible to predict the
future; but we can learn from the past.

 

[serverguy]

Yes, it says the changes "will protect customers against the immediate
reported threats," and that's great! But the vulnerability remains and
other threats that attack that vulnerability but that are different from the
"immediate threats" could arrive on the scene any day now. Microsoft does
not claim to have an actual "fix" for the vulnerability which was reported
months ago, except in SP2 which has not yet been released in production.
From the tone of the press release "...is working to provide..." and "Later
this summer...." are phrases suggesting they are only just reacting to the
issue now. That's just not good enough. They need to speed things up and
fix reported holes BEFORE they are breached.

Meanwhile, the Russian server that was "shut down" was probably just moved
elsewhere and the coders are busy working around the workaround.

Please don't take this the wrong way. I think Microsoft has been more
responsive in recent years to security. The Blaster issue was patched by
Microsoft before the worm hit, so it was really up to users to protect
themselves. This time, the hole was NOT closed in time and the threat has
already done it's damage with more threats possible. Due to this, I am
merely suggesting that one should no longer rely on Microsoft to fix it's
security problems in a timely manner, and individuals should seek their own
solutions if necessary. I work under the auspices of Hipaa and many other
folks like me have other genuine security concerns these days that will need
real solutions from multiple resources.

 

[serverguy]

More ammo:
http://news.com.com/Another+Internet+Explorer+flaw+found/2100-7349_3-5259374.html?tag=nefd.top