Posted on 11/11/2004 2:30:02 PM PST by Prime Choice
Microsoft is admonishing those who found the IFRAME vulnerability - the flaw exploited by the bofra virus - for the way they made it public.
Microsoft has slammed the people responsible for publishing details of the vulnerability that has lead to the creation of the bofra virus.
The software giant, which has yet to release a patch for the flaw, said that the vulnerability was not reported in a responsible fashion.
In a prepared email statement from a Microsoft spokesperson, the company said: "Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. "
"We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities with no exposure to malicious attackers while the patch is being developed."
The bofra virus, which antivirus companies initially believed to be a MyDoom variant, emerged on Monday after the vulnerability it was based on was published last week on a Web chat forum.
On Friday security firm Secunia issued an advisory on the vulnerability, saying that the flaw was 'extremely critical'. Chief technology officer for the company Thomas Kristensen said that 'Ned', the individual who initially found the bug, stumbled across it when testing browsers when using a publicly available tool. The tool crashed IE, so he posted a question on an Internet forum asking others to look at why the program had failed. With some additional research from others in the community, it came to light that the IFRAME flaw was causing the crash.
"Microsoft is right that those who disclose this kind of thing are irresponsible," said Kristensen. "But in this case, it's slightly different because he [Ned] published the first part and they [the other researchers] published the second part. And he didn't do it -- it was done with a tool. If you find a crash in a browser, you might not know if it's serious or not. He might not have been able to test that."
The bofra virus sends out hundreds of emails from an infected machine. The reader on the target machine follows a link sent in the email, which leads to a Web site hosted on the original infected PC. The IE exploit on that Web site turns the computer into another infected machine, and the cycle starts again. All version of the worm also open a back door to the infected computers.
Microsoft has yet to release a patch for the IE vulnerability, but advised users to upgrade to Windows XP SP2, which is apparently unaffected by the flaw.
I be software engineer. I be having worked for big international software company, I had been subject matter expert. I be able to read and write.
My very simple DSL internet connection does not use junkware.
Now we are at the heart of the problem, "all the money they make," nothing else needs to be said.
Indeed, if what you've posted is an example of how well you read and write, I'd bet that I can read and write much better than you can.
My extremely complicated DSL-connected hosting service and connected lab network uses OpenBSD on security devices (firewall, intrusion detection, etc.) FreeBSD on servers and Linux on desktops (and some other miscellaneous machines)
I have one copy of Windows, Windows 98. It runs on a stand-alone, non-networked machine. I use it for games.
After having been paid to clean and advise on the cleaning of hundreds of Windows machines, I won't allow shoddy Microsoft operating systems on my network.
If you think that Open Source software is junkware, perhaps you've been living under a rock for the past five years or so.
Oracle works on Linux, Google runs on Linux, Free Repbulic runs on Linux and uses Perl.
Many of the current DSL routers on the market run Linux. So do many of the top-listed supercomputers.
Linux is in data centers, on hundreds of thousands of desktops, in huge render farms, database clusters and on web servers.
So you can call it junkware if you want, but you'd be wrong.
Right on Knitebane. Don't forget to mention that Linux is virtully virus immune and when there is a flaw Novel, or whoevers version it is, fixes it quickly. As far as browsers go, I use netscape and save a lot of problems for myself when it comes to spyware and viruses. Just my 2cents...
I think this is a browser issue. Firefox works for me.
Let's be specific, shall we?
Care to give us a list of the "great things" that Microsoft has done?
Linux, due to the way it is designed is very difficult to infect with a virus when it is operated normally. If you do a dumb thing like log in as root all the time, then virus infection is quite possible.
But note the difference. Under Linux you have to go out of your way to become vulnerable to viruses. Under Windows, you just have to use it normally.
Bug fixes don't come from a company like Novell. They come from the hundreds and thousands of people who use Linux. They can do this because they have the source code.
Netscape is a decent choice for a browser. (actually, once you get away from the buggy and unsecure Internet Explorer using a browser is generally reduced to a matter of taste.)
I've tried Opera and it's ok. I've tried Galeon and Netscape and even though both of them are based on Mozilla, I keep coming back to Firefox, although I also have Konqueror handy to replicate the kinds of functions that IE handles on Windows (file management, multimedia, etc.)
Sorry, just having a bit of fun. All of the different software packages are very good.
My DSL provider is Verizon, in my area it works with Windows.
MicroSoft makes a very good product, as do the others, I am tired of whiners complaining about MS, when their beef is they can't do what MS has done.
And MS did it first.
At the risk of repeating myself...
What has MS done?
And I happen to disagree with you about Microsoft making a "very good" product. Most of their products are horribly buggy, tremendously overpriced and nightmares to maintain.
Did what first?
MADE THE MOST MONEY!
Hired the most people.
Installed on the most computers.
Used by the most people.
Bought out the most small companies.
So what?
Nope. Microsoft isn't even the largest employer in Redmond, WA. That's Boeing. And if you only count software companies in Redmond, they still come in second. Behind Nintendo.
Installed on the most computers.
Through marketing practices such as dumping and per-cpu licenses...something that most decent people discount as dishonest at best and criminal at worst.
Bought out the most small companies.
I'm pretty sure that IBM has Microsoft beat in that category. But if you want to talk about the companies that Microsoft drove into bankrupcy and then bought them, you'd probably be right.
Comparing Al Capone to Bill Gates is stupid. John Kerry once visited Texas, does that make him like GWB?
Your opinion.
And like most of your opinions on this thread, wrong.
It is called business. I understand that a lot of techies are anti-MS. But they need to stop whining about it to everyone, no one cares except a small group of techies.
MS has done a large amount of good inthis country, created many jobs, and I am sure the list could go on. But I tire of hearing from people that think MS is an evil big company.
Just because you claim my opinions are wrong doesn't make them so.
However, most would agree that Bill Gates and big Al are not two of the same type of businessmen.
Most who are anti-MS are those who do not have the ability to do the same in the business world or any other world for that matter as MS and Bill Gates have done.
So is prostitution, running an abortion clinic or selling crack on the street corner.
Just because it's "business" isn't an excuse for immoral or unethical practices and Microsoft has had more than it's share of those kinds of problems.
MS has done a large amount of good inthis country, created many jobs, and I am sure the list could go on.
And Al Capone opened a lot of soup kitchens and bread lines in Chicago during the Great Depression. Again, it doesn't excuse bad behavior.
But I tire of hearing from people that think MS is an evil big company.
And I tire of people defending Microsoft's unethical business practices by tossing out some notion that they've done some good things too.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.