On Sat, Feb 15, 2014 at 10:59 AM, Greg Keogh <[email protected]> wrote: > Folks, one of our customers has an IT admin guy who is a Linux fan and > runs a farm of Linux servers. He has the typical cultural anti-Microsoft > bias that I'm sure we encounter now and then. Not normally a problem, but > he's forwarding around scary emails warning of vulnerabilities in IE and > Silverlight which could put our deployment at risk. > > I became suspicious when yesterday he said something like "because IE is > 'closer' to the operating system than other browsers, a flaw in IE makes > Windows more vulnerable". >
Inasmuch as you cannot remove it in lieu of another browser? Well, in terms of attack surface, that increases Windows because you can't remove it, but MS are doing a much better job of managing this these days. > This seems preposterous to me, and it's vague, but it pleases me to > imagine that the User/Kernel mode boundaries between IE and Windows are no > different than any other normal application. > > Anyway, in his email he links to these pages: > > > http://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-19887/Microsoft-Silverlight.html > http://cwonline.computerworld.com/t/8857906/669819191/656856/12/ > > I don't see anything particularly scary in these. It looks like a > Silverlight app would have to be specifically crafted to be a threat (and > I'm not intending to do that!). The other stuff about IE is just the usual > stuff you see on quiet news days. > That's standard threat assessment, isn't it? (doesn't mean you would, means you could, I mean) > > Any comments anyone to help us slap this Linux guy down? > > Yeah, I'd question why he's doing this. IOW, motive. > *Greg K* > -- Meski http://courteous.ly/aAOZcv "Going to Starbucks for coffee is like going to prison for sex. Sure, you'll get it, but it's going to be rough" - Adam Hills
