Interesting People mailing list archives
IP: Re: IE5 Security Hole Makes Users' PCs Vulnerable
From: David Farber <farber () cis upenn edu>
Date: Thu, 2 Sep 1999 13:09:49 -0400
X-Sender: >X-Sender: brett@localhost Date: Thu, 02 Sep 1999 10:48:04 -0600 To: farber () cis upenn edu, ip-sub-1 () admin listbox com From: Brett Glass <brett () lariat org> Subject: IP: Re: IE5 Security Hole Makes Users' PCs Vulnerable Rhys Weekley" <rhyso () mail com> writes:The ZDNet article says Microsoft has done nothing about this, butthey have released a patch already. See http://www.microsoft.com/security/bulletins/ms99-032.asp. Microsoft's security bulletin regarding the patch states that it was "Originally" posted on August 31, 1999 -- ten days after Guninski posted information about the hole to public mailing lists. (The bulletin, mailed at noon on that day, does not appear to have been linked into Microsoft's security Web site -- where most users look for such announcements -- until September 1.) Thus, Microsoft took more than a week and a half after the announcement of the hole to respond, and longer still to post the bulletin to its Web site. The article which was published on the ZDNet Help Channel (http://www.zdnet.com/zdhelp/stories/main/0,5594,2322425,00.html) and also on ZDNN was correct in saying that, at the time it was written, Microsoft had not provided a patch or even publicly acknowledged the problem. The article may have spurred Microsoft to release a patch more quickly than it would have otherwise. Alas, users of IE5, Outlook, Outlook Express, Eudora Lite, Eudora Pro,TurboTax, Quicken, Microsoft Office, and other programs were vulnerable in the interim unless they took the steps mentioned in that article. Even now, the fast majority of IE5 users are still vulnerable, and will continue to be so unless they follow those steps and/or install Microsoft's patch. (The instructions in the article, which shut down ActiveX and Active Scripting altogether, may be safer than applying Microsoft's patch, because there are almost certainly other ActiveX controls with potential exploits.) Microsoft does not go out of its way to publicize security problems widely to end users, and the major news outlets often do not consider the CLOSING of a hole to be worthy of a news story. Therefore, many users will be vulnerable indefinitely. --Brett Glass
Current thread:
- IP: Re: IE5 Security Hole Makes Users' PCs Vulnerable David Farber (Sep 02)
- <Possible follow-ups>
- IP: Re: IE5 Security Hole Makes Users' PCs Vulnerable David Farber (Sep 02)