It's not an out of band patch because there's no remote takeover of the machine possible and/or there's no exploits in the wild.
I wasn't casting anyone in this discussion as Linux or FF fanboys. I was referring to bloggers who reflexively write "don't use IE". Carl From: Jonathan Link [mailto:[email protected]] Sent: Thursday, February 04, 2010 3:20 PM To: NT System Admin Issues Subject: Re: IE info-disclosure bug disclosed at Black Hat You're broadening the arguement. Never mentioned Linux or FF. However, Microsoft has disembled about vulnerabilities and products in the past, so they have established a precedent as far as the level of trust I have for THEM, individually. Does this individual have an agenda? Maybe, sure, it's possible, but Microsoft has one, too. I wonder why the've released a fixit, publicized it instead of forcing an out of band patch via Windows Update? It's better to err on the side of caution; update now. As to Mojave, good, I'm glad it was good for you. My experience on a notebook with a T7700 proccessor 4GB RAM and Vista Business 64 was prone to pauses, stuttering, inexplicable locking, IE crashing, MS Word crashing. None of that happened on XP 32 bit or now on Windows 7 Pro 64 bit. On Thu, Feb 4, 2010 at 3:08 PM, Carl Houseman <[email protected]> wrote: So, is there a video of Medina's presentation? Too much chicken-little FUDding is done with these things, not to mention, jump-on-the-bandwagon Microsoft or IE bashing by FF and Linux fanboys. And yes, I'm quite happy with Windows Mojave. From: Jonathan Link [mailto:[email protected]] Sent: Thursday, February 04, 2010 2:53 PM To: NT System Admin Issues Subject: Re: IE info-disclosure bug disclosed at Black Hat >From the blog post "Medina's presentation demonstrated how an attacker can read every file of an IE user's filesystem." I'll lean on the side of being conservative and cautions and presume that the blog post means what it says, after all, Microsoft has never misled about the nature of a vulnerability or the virtues of a product. *Cough* Mojave *cough*. IS Mark Maiffret out there? :-) On Thu, Feb 4, 2010 at 2:43 PM, Carl Houseman <[email protected]> wrote: That's a well known folder, not a well known file. Exposure of folder contents does not appear to be included in this flaw. Again, name a well known data file (a specific file that exists for nearly every Windows installation of that Windows version) that could lead to critical harm if disclosed to an attacker. From: Jonathan Link [mailto:[email protected]] Sent: Thursday, February 04, 2010 2:34 PM To: NT System Admin Issues Subject: Re: IE info-disclosure bug disclosed at Black Hat c:\documents and settings\<user>\My Documents c:\users\<user>\Documents Many companies, especially small companies store their data here. Our users for the most part store data here for staging purposes when they are out in the field performing an audit. Eventually it gets cleaned out when incorporated into our engagement management software. On Thu, Feb 4, 2010 at 1:42 PM, Carl Houseman <[email protected]> wrote: Secunia doesn't seem to think it's that critical, certainly not in the same league as system-takeover problems. Name any well known data file on my computer that would cause me "super critical" harm if disclosed. Don't bother with the local SAM, they can have it, since there's no remote access via a local account. Carl -----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: Thursday, February 04, 2010 12:29 PM To: NT System Admin Issues Subject: Re: IE info-disclosure bug disclosed at Black Hat Super critical, because paths to many well-known data files are always the same. On Thu, Feb 4, 2010 at 09:10, Carl Houseman <[email protected]> wrote: > It's not IE6, it's any version of IE that's not in "protected mode" (so, any > version of IE on XP, and or an elevated or UAC-disabled IE under Vista/7). > > Seems not that super-critical since exploit must know a complete path to a > specific file that's going to be revealed. > > Carl > > -----Original Message----- > From: Angus Scott-Fleming [mailto:[email protected]] > Sent: Thursday, February 04, 2010 11:57 AM > To: NT System Admin Issues > Subject: IE info-disclosure bug disclosed at Black Hat > > MSRC bulletin released, MS Security Advisory released, ZDNet Zero-Day has a > story. > > An information-leakage problem in Internet Explorer has been disclosed > at > this week's Black Hat conference. It seems that if you use Internet > Explorer to surf the Internet, the Bad Guys can now read ANY FILE on > your > hard drive. Details and info on a Microsoft-issued "FixIt" solution are > > in the latest blog entry at http://geoapps.blogspot.com/ -- so if you > use > IE, especially IE6, please go read up on this and get patching. > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
