RE: Security scaremongering
I have noticed firefox complaining about Silverlight recently, saying security vulnerability..anyone else seen this? Anthony Salerno | Consultant | SmallBiz Australia Software Developers | Mobile | Tablet | Software | Web | eCommerce | IT Support Phone : +613 8400 4191 Email : 2Anthony (at) smallbiz.com.au Postal : Po Box 135, Lower Plenty 3093 ABN : 16 079 706 737 From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Scott Barnes Sent: Saturday, 15 February 2014 12:54 PM To: ozDotNet Subject: Re: Security scaremongering I don't see the correlation between IE and Silverlight here - sure the browser has some exploits that *POTENTIALLY* are available but to throw Silverlight out is to throw Java, Flash, Quicktime etc also out. Focus on the role not the person is your first approach, if this person is trying to build their Security Empire and using anti-Microsoft bias as a way to fuel the flames, ask questions about the role, interrogate their actual position boundaries to determine if its a person with accountability authority or just some loud mouth (like me) shooting shit from the sidelines? Next is risk assessment, ok so there's a flaw in the system. There are 1000's of flaws in every corporations systems (even Microsofts) now comes back to Consequences vs Likelihood of that actually being a risk. It's all well and good to argue If 1x genius finds this flaw and triggers it, well its Zombieland for mankind... but what's the consequences really of that activity from happening and lastly how likely is it from actually happening. If you're tucked snugly inside a DMZ it comes back to now What's the likelihood of an employee exploiting this hole to add further pain to other employees? because once a corporations firewall gets penetrated... IE flaws become 1 of 1000+ problems that company will face (not saying it should be patched, just ...i dunno...reality check that shit). It reminds me of the virus scanner debates where Security Essentials got a low rating because it didn't track something like 100+ virus signatures... and Microsoft Security came back and said something like Yeah but nobody has seen those virus's since the 90's and even today the likelihood of them working is still low ..basically they apparently (dont quote me on this) outlined the risk matrix and told these other jackasses to calm down but in their own polite manner. I'm pretty confident Silverlight is secure to the point where during its creation there was a lot of effort that went into making sure there was 0 security issues known, because ultimately during that period had one existed we'd have been crucified and Adobe would have seized that as a moment to choke us PR wise. I can't say for sure exactly how secure Silverlight is but I do remember Program Managers saying with high confidence I'd like to see them try.. Just tell the dude fine you win, we'll use Chrome. so back to Silverlight..where's the data champ... :) as personally I think IE should have been taken out to the woodshed long ago...so idiots like these don't get to use the branding cancer against its ACTUAL technical rehabilitation ... --- Regards, Scott Barnes http://www.riagenic.com On Sat, Feb 15, 2014 at 10:57 AM, Stephen Price step...@perthprojects.com wrote: Why so much hate? Haters are going to hate. I wouldn't bother, it would be like that cartoon about someone being wrong on the internet... On Feb 15, 2014 8:00 AM, Greg Keogh g...@mira.net wrote: Folks, one of our customers has an IT admin guy who is a Linux fan and runs a farm of Linux servers. He has the typical cultural anti-Microsoft bias that I'm sure we encounter now and then. Not normally a problem, but he's forwarding around scary emails warning of vulnerabilities in IE and Silverlight which could put our deployment at risk. I became suspicious when yesterday he said something like because IE is 'closer' to the operating system than other browsers, a flaw in IE makes Windows more vulnerable. This seems preposterous to me, and it's vague, but it pleases me to imagine that the User/Kernel mode boundaries between IE and Windows are no different than any other normal application. Anyway, in his email he links to these pages: http://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-19887/M icrosoft-Silverlight.html http://cwonline.computerworld.com/t/8857906/669819191/656856/12/ I don't see anything particularly scary in these. It looks like a Silverlight app would have to be specifically crafted to be a threat (and I'm not intending to do that!). The other stuff about IE is just the usual stuff you see on quiet news days. Any comments anyone to help us slap this Linux guy down? Greg K
RE: Security scaremongering
Firefox whinges about everything lately. eg I don't care if Java is insecure again when I updated less than half an hour ago, but it forces either update or go without. Does anyone perhaps know how to block the service Firefox uses to check for plugin updates? From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of anthonyatsmall...@mail.com Sent: Monday, 17 February 2014 11:06 AM To: 'ozDotNet' Subject: RE: Security scaremongering I have noticed firefox complaining about Silverlight recently, saying security vulnerabilityanyone else seen this? Anthony Salerno | Consultant | SmallBiz Australia Software Developers | Mobile | Tablet | Software | Web | eCommerce | IT Support Phone : +613 8400 4191 Email : 2Anthony (at) smallbiz.com.au Postal : Po Box 135, Lower Plenty 3093 ABN : 16 079 706 737 From: ozdotnet-boun...@ozdotnet.commailto:ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Scott Barnes Sent: Saturday, 15 February 2014 12:54 PM To: ozDotNet Subject: Re: Security scaremongering I don't see the correlation between IE and Silverlight here - sure the browser has some exploits that *POTENTIALLY* are available but to throw Silverlight out is to throw Java, Flash, Quicktime etc also out. Focus on the role not the person is your first approach, if this person is trying to build their Security Empire and using anti-Microsoft bias as a way to fuel the flames, ask questions about the role, interrogate their actual position boundaries to determine if its a person with accountability authority or just some loud mouth (like me) shooting shit from the sidelines? Next is risk assessment, ok so there's a flaw in the system. There are 1000's of flaws in every corporations systems (even Microsofts) now comes back to Consequences vs Likelihood of that actually being a risk. It's all well and good to argue If 1x genius finds this flaw and triggers it, well its Zombieland for mankind... but what's the consequences really of that activity from happening and lastly how likely is it from actually happening. If you're tucked snugly inside a DMZ it comes back to now What's the likelihood of an employee exploiting this hole to add further pain to other employees? because once a corporations firewall gets penetrated... IE flaws become 1 of 1000+ problems that company will face (not saying it should be patched, just ...i dunno...reality check that shit). It reminds me of the virus scanner debates where Security Essentials got a low rating because it didn't track something like 100+ virus signatures... and Microsoft Security came back and said something like Yeah but nobody has seen those virus's since the 90's and even today the likelihood of them working is still low ..basically they apparently (dont quote me on this) outlined the risk matrix and told these other jackasses to calm down but in their own polite manner. I'm pretty confident Silverlight is secure to the point where during its creation there was a lot of effort that went into making sure there was 0 security issues known, because ultimately during that period had one existed we'd have been crucified and Adobe would have seized that as a moment to choke us PR wise. I can't say for sure exactly how secure Silverlight is but I do remember Program Managers saying with high confidence I'd like to see them try.. Just tell the dude fine you win, we'll use Chrome. so back to Silverlight..where's the data champ... :) as personally I think IE should have been taken out to the woodshed long ago...so idiots like these don't get to use the branding cancer against its ACTUAL technical rehabilitation ... --- Regards, Scott Barnes http://www.riagenic.com On Sat, Feb 15, 2014 at 10:57 AM, Stephen Price step...@perthprojects.commailto:step...@perthprojects.com wrote: Why so much hate? Haters are going to hate. I wouldn't bother, it would be like that cartoon about someone being wrong on the internet... On Feb 15, 2014 8:00 AM, Greg Keogh g...@mira.netmailto:g...@mira.net wrote: Folks, one of our customers has an IT admin guy who is a Linux fan and runs a farm of Linux servers. He has the typical cultural anti-Microsoft bias that I'm sure we encounter now and then. Not normally a problem, but he's forwarding around scary emails warning of vulnerabilities in IE and Silverlight which could put our deployment at risk. I became suspicious when yesterday he said something like because IE is 'closer' to the operating system than other browsers, a flaw in IE makes Windows more vulnerable. This seems preposterous to me, and it's vague, but it pleases me to imagine that the User/Kernel mode boundaries between IE and Windows are no different than any other normal application. Anyway, in his email he links to these pages: http://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-19887/Microsoft-Silverlight.html http
Security scaremongering
Folks, one of our customers has an IT admin guy who is a Linux fan and runs a farm of Linux servers. He has the typical cultural anti-Microsoft bias that I'm sure we encounter now and then. Not normally a problem, but he's forwarding around scary emails warning of vulnerabilities in IE and Silverlight which could put our deployment at risk. I became suspicious when yesterday he said something like because IE is 'closer' to the operating system than other browsers, a flaw in IE makes Windows more vulnerable. This seems preposterous to me, and it's vague, but it pleases me to imagine that the User/Kernel mode boundaries between IE and Windows are no different than any other normal application. Anyway, in his email he links to these pages: http://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-19887/Microsoft-Silverlight.html http://cwonline.computerworld.com/t/8857906/669819191/656856/12/ I don't see anything particularly scary in these. It looks like a Silverlight app would have to be specifically crafted to be a threat (and I'm not intending to do that!). The other stuff about IE is just the usual stuff you see on quiet news days. Any comments anyone to help us slap this Linux guy down? *Greg K*
Re: Security scaremongering
Why so much hate? Haters are going to hate. I wouldn't bother, it would be like that cartoon about someone being wrong on the internet... On Feb 15, 2014 8:00 AM, Greg Keogh g...@mira.net wrote: Folks, one of our customers has an IT admin guy who is a Linux fan and runs a farm of Linux servers. He has the typical cultural anti-Microsoft bias that I'm sure we encounter now and then. Not normally a problem, but he's forwarding around scary emails warning of vulnerabilities in IE and Silverlight which could put our deployment at risk. I became suspicious when yesterday he said something like because IE is 'closer' to the operating system than other browsers, a flaw in IE makes Windows more vulnerable. This seems preposterous to me, and it's vague, but it pleases me to imagine that the User/Kernel mode boundaries between IE and Windows are no different than any other normal application. Anyway, in his email he links to these pages: http://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-19887/Microsoft-Silverlight.html http://cwonline.computerworld.com/t/8857906/669819191/656856/12/ I don't see anything particularly scary in these. It looks like a Silverlight app would have to be specifically crafted to be a threat (and I'm not intending to do that!). The other stuff about IE is just the usual stuff you see on quiet news days. Any comments anyone to help us slap this Linux guy down? *Greg K*
Re: Security scaremongering
I don't see the correlation between IE and Silverlight here - sure the browser has some exploits that *POTENTIALLY* are available but to throw Silverlight out is to throw Java, Flash, Quicktime etc also out. Focus on the role not the person is your first approach, if this person is trying to build their Security Empire and using anti-Microsoft bias as a way to fuel the flames, ask questions about the role, interrogate their actual position boundaries to determine if its a person with accountability authority or just some loud mouth (like me) shooting shit from the sidelines? Next is risk assessment, ok so there's a flaw in the system. There are 1000's of flaws in every corporations systems (even Microsofts) now comes back to Consequences vs Likelihood of that actually being a risk. It's all well and good to argue If 1x genius finds this flaw and triggers it, well its Zombieland for mankind... but what's the consequences really of that activity from happening and lastly how likely is it from actually happening. If you're tucked snugly inside a DMZ it comes back to now What's the likelihood of an employee exploiting this hole to add further pain to other employees? because once a corporations firewall gets penetrated... IE flaws become 1 of 1000+ problems that company will face (not saying it should be patched, just ...i dunno...reality check that shit). It reminds me of the virus scanner debates where Security Essentials got a low rating because it didn't track something like 100+ virus signatures... and Microsoft Security came back and said something like Yeah but nobody has seen those virus's since the 90's and even today the likelihood of them working is still low ..basically they apparently (dont quote me on this) outlined the risk matrix and told these other jackasses to calm down but in their own polite manner. I'm pretty confident Silverlight is secure to the point where during its creation there was a lot of effort that went into making sure there was 0 security issues known, because ultimately during that period had one existed we'd have been crucified and Adobe would have seized that as a moment to choke us PR wise. I can't say for sure exactly how secure Silverlight is but I do remember Program Managers saying with high confidence I'd like to see them try.. Just tell the dude fine you win, we'll use Chrome. so back to Silverlight..where's the data champ... :) as personally I think IE should have been taken out to the woodshed long ago...so idiots like these don't get to use the branding cancer against its ACTUAL technical rehabilitation ... --- Regards, Scott Barnes http://www.riagenic.com On Sat, Feb 15, 2014 at 10:57 AM, Stephen Price step...@perthprojects.comwrote: Why so much hate? Haters are going to hate. I wouldn't bother, it would be like that cartoon about someone being wrong on the internet... On Feb 15, 2014 8:00 AM, Greg Keogh g...@mira.net wrote: Folks, one of our customers has an IT admin guy who is a Linux fan and runs a farm of Linux servers. He has the typical cultural anti-Microsoft bias that I'm sure we encounter now and then. Not normally a problem, but he's forwarding around scary emails warning of vulnerabilities in IE and Silverlight which could put our deployment at risk. I became suspicious when yesterday he said something like because IE is 'closer' to the operating system than other browsers, a flaw in IE makes Windows more vulnerable. This seems preposterous to me, and it's vague, but it pleases me to imagine that the User/Kernel mode boundaries between IE and Windows are no different than any other normal application. Anyway, in his email he links to these pages: http://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-19887/Microsoft-Silverlight.html http://cwonline.computerworld.com/t/8857906/669819191/656856/12/ I don't see anything particularly scary in these. It looks like a Silverlight app would have to be specifically crafted to be a threat (and I'm not intending to do that!). The other stuff about IE is just the usual stuff you see on quiet news days. Any comments anyone to help us slap this Linux guy down? *Greg K*
Re: Security scaremongering
On Sat, Feb 15, 2014 at 10:59 AM, Greg Keogh g...@mira.net wrote: Folks, one of our customers has an IT admin guy who is a Linux fan and runs a farm of Linux servers. He has the typical cultural anti-Microsoft bias that I'm sure we encounter now and then. Not normally a problem, but he's forwarding around scary emails warning of vulnerabilities in IE and Silverlight which could put our deployment at risk. I became suspicious when yesterday he said something like because IE is 'closer' to the operating system than other browsers, a flaw in IE makes Windows more vulnerable. Inasmuch as you cannot remove it in lieu of another browser? Well, in terms of attack surface, that increases Windows because you can't remove it, but MS are doing a much better job of managing this these days. This seems preposterous to me, and it's vague, but it pleases me to imagine that the User/Kernel mode boundaries between IE and Windows are no different than any other normal application. Anyway, in his email he links to these pages: http://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-19887/Microsoft-Silverlight.html http://cwonline.computerworld.com/t/8857906/669819191/656856/12/ I don't see anything particularly scary in these. It looks like a Silverlight app would have to be specifically crafted to be a threat (and I'm not intending to do that!). The other stuff about IE is just the usual stuff you see on quiet news days. That's standard threat assessment, isn't it? (doesn't mean you would, means you could, I mean) Any comments anyone to help us slap this Linux guy down? Yeah, I'd question why he's doing this. IOW, motive. *Greg K* -- Meski http://courteous.ly/aAOZcv Going to Starbucks for coffee is like going to prison for sex. Sure, you'll get it, but it's going to be rough - Adam Hills
