Thursday, March 23, 2006

Thoughts on the New Remote Code Execution IE Hole

I was a little confused by how fast Microsoft reacted to the issue, but then it hit me. They knew about the issue already.

------------------------------------------

Timeline (as far as I can tell).

1) Stelian Ene calls attention to the known issue on the FD list at 09:13 and basically shows that it causes a DoS state.

2) Around 6 hours later, Computer Terrorism (UK) released a security advisory back to the FD list. The advisory stated that it was a "remote code execution" vulnerability and would result in "remote system access". But I still haven't seen any code.

Key part of the advisory is here however.

Vendor Status:
-------------------
The Vendor has been informed of all aspects of this new vulnerability (including PoC), but as of the date of the document, this vulnerability is UNPATCHED.


Where is the code execution PoC??

------------------------------------------

So basically, Microsoft knew about the issue and has already started on fixing the issue. Microsoft even stated that it was fixed in the new fresh of IE7 Beta 2 announced at Mix '06 (March 20-22).

Ok, so when were they going to apply this fix to IE 6 SP2?? You know the browser that everyone and their grandparents use??

I have the sick feeling that if Stelin didn't call attention to the issue, we would only seen a patch once Microsoft "got around" to it - next patch Tuesday perhaps, maybe not.

But the DoS exploit has been around on the internet for some time. So Microsft assumes that no blackhat group (aka crimeware gang) has made the "code execution connection" yet?

If they knew about the issue and had information that could protect people, why not release it when it was just a DoS exploit?? How many DoS exploits have to turn into code execution exploit, before Microsoft shifts its view on this issue.

But now that the masses have their eyes focused on the issue, Microsoft wants to release a pre-patch advisory and help protect us with workarounds.

Geezz thanks. Why not release this workaround protection information when it was just a DoS??

I understand that non-public vulnerabilities are found and closed all the time and this really isn't much different - but the problem was fixed in IE 7 before it was fixed in IE 6.

I kinda have a problem with that.

Am I crazy or does this seem a little fishy??? Give me some feedback, I need more coffee.

2 comments:

  1. Maybe you should read this:

    http://testing.onlytherightanswers.com/modules.php?name=News&file=article&sid=36

    ReplyDelete
  2. We talked about the WMF in Jan. Gibson was a little off and everyone called him on it.

    The WMF patch did cause printer problems, but there were very few.

    Microsoft knew this would happen because it also happened with Guilfanov’s XP patch.

    So for all the people looking for the "paper jam"...look a little closer - it is there.

    ReplyDelete