New IE Vulnerability..... (eh?)

The overall security of Internet Explorer is not entrusted only to Ms developers themselves. although Vista’s security model, MS DEP and other additional security layers do help.

Besides, regardless of the undeniable impact of market-share over Internet explorer factual security and assuming no one can claim any product to be 100% secure, do additional protection layers provide enough of a reason to neglect the sheer number of known vulerabilities even in if the additional protection will eventually be able to mitigate or negate undesired outcomes? ???

Although I guess many users will still find the pre-bundled IE and the eventual additional security layers plenty enough to suit they current needs I still hope they will at least consider to not delay system/softwares/components updates and eventually use 3rd party tools like Comodo Vulnerability Analyzer or Secunia Personal Inspector.

At least in cases a patch is available I guess there would be not much to argue about without explicitly questioning the need of security patches on systems protected by additional security layers. :-\

Can you substantiate that say with a list of unresolved issues by Secnuia?

don't expect any pre-emptive security from their browser just that they address the problems that are evident.I don't expect CIS to have to cover for the sloppiness of other products even though I accept you do it very well.

The buffer overrun error is intimately tight to C++ if I understand things correctly. That is the dominant programming language for Operating Systems and programs. So it is something we cannot shake off no matter what OS we are using. If another OS would be dominant there would be many more errors found for that OS.

So, we would be needing preemptive measures no matter how hard we push and bash Microsoft.

Indeed and that is my point! No matter what you do, you always need a Prevention based protection like CIS.

Melih

Yes the current Secunia report for IE7 is here:

And yes you’re right pre-emptive measures are definitely needed for unknown threats,however they shouldn’t be required for well known issues that Microsoft don’t bother to address,or address after a long wait on patch Tuesday.If Mozilla and Opera make the effort to protect their users as flaws come to light why should Microsoft with their huge resources and unfair market advantage be exempt from it?

100% agreement with that statement,it’s an imperitive.

Not wanting to reawaken this discussion, as all as been already discussed, but Opera does have it’s weaknesses and takes time to be resolved.

http://www.pcworld.com/article/155854/opera_severe_hole.html?tk=rss_news

“Opera says the fix, which only applies to machines running Windows, covers two flaws categorized as “extremely severe” and three listed as “highly severe.””

Version 9.62 Final came out on October 30 and version 9.63 Final on December 16 (http://www.opera.com/docs/changelogs/windows/963/).

A month and a half later.

I can only assume you’re referring to one of these issues ,the only ones I can find near that time?:

If so stable beta patches were available 16 days and 3 days after discovery respectively???

Time between releases doesn’t mean the time needed to be solved.

Anyway I would like to hear your comments about:

And eventually know if the differences could be considered irrelevant and for what reasons.

If they’re the same, then I guess that the security vulnerabilities where there even before version 9.62 came out, as this one only came out on October 30.

The issues reported on those links date of 2008-10-08 and 2008-10-21, respectively.

The first report of known vulnerabilities was to alert users to update to version 9.6(0).x

The second report of known vulnerabilities was to alert users to update to version 9.61.x and not 9.62.x

Not to update to version 9.63.

I know that the time between releases doesn’t mean the time needed to be solved, but that would only mean they (Opera guys) didn’t considerer those vulnerabilities important at the time of discovery? Hence the last update (that I know of) is version 9.63, which came out these days and mention that “the fix, which only applies to machines running Windows, covers two flaws categorized as “extremely severe” and three listed as “highly severe.””?

So, 2 are extremely severe and 3 highly severe, but Opera does not patch it soon enough? Not important to be patched as soon as possible? Or is as soon as possible more than a month?

Don’t get me wrong. I’m a Opera user since ever, but I find it odd, as I’m not aware of any updates between the latest 9.62 version and version 9.63. I might be mistaken, but I don’t think there was one.

Perhaps, due to the fact that Opera isn’t as much used as IE and Firefox, they considered that would be no real danger to users?

That would explain how you misinterpreted the time-frame between release dates for the time to fix and release, thus stating they weren’t patched as soon as possible (Although I didn’t ask you that).

Anyway let me ask you again

I would like to hear your comments about:

And eventually know if the differences could be considered irrelevant and for what reasons.

In that case I’m not sure at all since those were the most recent issues listed for Opera,nothing since. ???

Of course this doesn’t excuse Microsoft with it’s huge monopoly position taking a very lax attitude toward patching the flaws in it’s products.The emergency update the other day was a rarity,usually it’s keep your fingers crossed and wait until patch Tuesday. 88)

I agree with you.

I too were surprised to see Microsoft release the patch faster than usual and not wait the normal procedure, that is making updates available every first Tuesday of every month.

They did the right thing and, unfortunately, I believe it is an expection that may not happen any time soon. Unless, of course, they change their policy.

I think they should. After all, we’re talking about a browser that comes bundled with a paid, and well paid, Operating System. As we know, a properly patched system and apps are half way to a better protected system.

I understand where you want to get from here, hence my silence, as I thought you would understand I agree with you. That is, if I understand it well.

When I first wrote about the vulnerabilities about Opera 9.62, I had no intentions to say it is an unsafer browser, or not as safer as we thought it was. I would be crazy to say that as I am a Opera user for a very long time. It would had been contradictory. It was only to say that every application, and in this specific case, web browsers, have their own vulnerabilities. Some not so extreme, other extreme, other very extreme. Not all of them are patched as fast as one would expect, and we can only hope that nothing will happen to our systems and us, by using certain protection measures.

I did not ask about Opera itself but about three browsers that currently got most windows user-base to possibly understand if there were additional criteria to acknowledge.

Eg Including the recent 0day vulnerability Internet explorer is the only browser that got Extremely Critical vulnerabilities so far. Other 3rd party browsers reported vulnerabilities did never reach the Extremely critical rating so far (including Safari).

Regardless the time needed to patch the recent 0-day Extremely critical vulnerability Microsoft Internet Explorer 7.x still has unpatched vulnerabilities reported really many months ago regardless if IE patches should not be developed/tested for alternate OSses.

The most severe unpatched Secunia advisory affecting Microsoft Internet Explorer 7.x, with all vendor patches applied, is rated Moderately critical

The recent beta patch feat surely prove that Microsoft resources can provide very fast responses (I guess even at costs of temporarily halting the development cicle) yet another recently acknowledged delay should at least confirm that even Microsoft cannot provide fast updates eveytime.

As for IE vulnerabilities the ones triggered by its activex support and that pertain 3rd party legitimate vendors are addressed separately even though they affect IE users just like those of IE itsef.

And yet I got the impression these and other eventual differences are not worth mentioning almost like that if no software is 100% secure nothing else matters.

I still wonder if any reader may feel tempted to not bother to update his OS and softwares and rely on additional protection layers to avoid maintenance.

I they do that I hope they will tell everybody they suggest an application to apply the same additional protection layers they got, because if the do forget other may not have the same end user experience.

Melih rightly pointed out that CIS offers protection against all manner of 0-day threats,but we users are the lucky minority.The overwhelming majority of pc users go online with just the Windows firewall and an AV of varying quality for protection.These are the users that are most vulnerable to the whims of Microsoft’s updates.It’s a shame that CIS doesn’t come bundled with Windows.

Of course they shouldn’t use protective measures and not patch their OSs. Would be insane to do it so.

But, vulnerabilities will always exist, unless someone codes in a 100% perfect way.

“the fix, which only applies to machines running Windows, covers two flaws categorized as “extremely severe” and three listed as “highly severe.”” (Regarding Opera)

Isn’t extremely severe = extremely critical?

I’m not here to excuse Microsoft. They should release patches sooner than they do.

But, why saying this about Microsoft and not about others? For example, Apple.

When Dan Kaminsky found a fundamental issue in DNS (DNS cache poisoning) , and decided to work on a coordinated patch with a large group of vendors, such as Microsoft and Apple.

If I am not mistaken, 1 week later, after he brought it to public, Microsoft and others had released patches to cover this issue. Apple still hadn’t. Then, Dan Kaminsky says that the problem was worse than he predicted the first time. Meaning, the problem was worse, but Apple still had no patch for the first known issue.

Microsoft had.

I know this is off-topic, but just to mention that Microsoft is not the only company that is late to patch their systems and apps.

If every vendor released a patch right after a vulnerability is first found, heck, it would be a perfect world. But, I guess there is no such thing.

So, why wait for a vulnerability to be patched and not take preventive measures? Otherwise, tools such as D+, CMF/SafeSurf, LinkScanner Pro and others would make no sense at all. They exist for a reason. And the reason is that the people behind them, know that vulnerabilities will always exist and that vendors will always be late on patch them. Unfortunately, but the truth.

(:CLP) (:NRD)

As to the discussion about Microsoft and patching. It was stated that Microsoft did a bad job with documenting their code. With as a consequence they have to make a patch and then test without having a proper described code. That surely makes the process of patching slower no matter how hard we criticize and bash Microsoft.

Yep. But my concerns are focused not on the availability of protections but on approaches that triggers users to learn and understand the undelying security issues in odrer to let them autonomously evaluate their needs without relying on install and forget approaches.

As I still read about users who installed CIS without D+ or Saferurf/CMF, I believe that CIS, Safesurf and CMF can protect all users who installed these products to the extent these users allow them to do and these products are designed to.

Regardless of rumors triggered by code leaks of previous windows versions IMHO the eventual complexity of IE is related to a controversial design decision that still apply today.

Internet browsing is only one of the tasks IE was designed for and even activex usually don’t mean IE plugins only.

More complexity means that more things can go wrong, which makes them harder to test for vulnerabilities. As we build more and more complex software it becomes more challenging to check for flaws. The more code added, the more moving parts the software has, and the more complex it becomes. Testing for all permutations of all scenarios becomes very difficult.