Spyware and Adware affect every internet user

Spyware and Adware is software made by publishers that allow them to
snoop on your browsing activity, invade your privacy, and flood you
with those horrible popups. If you are like most users on the internet,
chances are you are probably infected with these applications.
Why does Spyware and Adware affect every internet user
All information you enter via the web can be intercepted
Unauthorized sites can add themselves to your desktop (icons)
Unauthorized sites can add themselves to your internet favorites
Your browsing activity can be tracked and monitored
Unwanted toolbars and searchbars can attach themselves to your browser
without your knowledge or approval
Your personal information can be sold to other parties without your
knowledge or consent
Your default homepage and settings can be hijacked so you can't change
them
These malicious components not only invade your PC so they can not be
removed, but take up your hard drive space and slow down your PC!
http://spywarehvba.blogspot.com/

Re: Spyware and Adware affect every internet user

vcrsoxykpgdg@yahoo.com wrote:
> Spyware and Adware is software made by publishers that allow them to
> snoop on your browsing activity, invade your privacy, and flood you
> with those horrible popups.

Only, if you're using Internet Explorer. Just don't do that.

Yours,
VB.
--
At first there was the word. And the word was Content-type: text/plain

Re: Spyware and Adware affect every internet user

vcrsoxykpgdg@yahoo.com wrote:
> Spyware and Adware is software made by publishers that allow them to
> snoop on your browsing activity, invade your privacy, and flood you
> with those horrible popups.

Only, if you're using Internet Explorer. Just don't do that.

Yours,
VB.
--
At first there was the word. And the word was Content-type: text/plain

Re: Spyware and Adware affect every internet user

In article <444a491d@news.uni-ulm.de>, bumens@dingens.org says...
> vcrsoxykpgdg@yahoo.com wrote:
> > Spyware and Adware is software made by publishers that allow them to
> > snoop on your browsing activity, invade your privacy, and flood you
> > with those horrible popups.
>
> Only, if you're using Internet Explorer. Just don't do that.
>
> Yours,
> VB.
>
FireFox Browser v1.5
http://www.mozilla.com/firefox/

Opera Browser v8.54
http://www.opera.com/download/

Thunderbird Mail v1.5
http://www.mozilla.com/thunderbird/

Hard to go wrong with these.
Casey

Re: Spyware and Adware affect every internet user

Volker Birk wrote in news:444a491d@news.uni-ulm.de:

> vcrsoxykpgdg@yahoo.com wrote:
>> Spyware and Adware is software made by publishers that allow them to
>> snoop on your browsing activity, invade your privacy, and flood you
>> with those horrible popups.
>
> Only, if you're using Internet Explorer. Just don't do that.
>
> Yours,
> VB.

A properly configured and maintained IE is just as safe as any other browser.

Re: Spyware and Adware affect every internet user

Post removed (X-No-Archive: yes)

Re: Spyware and Adware affect every internet user

On Wed, 26 Apr 2006 21:37:59 +0000, Leythos wrote:

> In article ,
> bob@arc.ab.caREMOVETHIS says...
>> Volker Birk wrote in news:444a491d@news.uni-ulm.de:
>>
>> > vcrsoxykpgdg@yahoo.com wrote:
>> >> Spyware and Adware is software made by publishers that allow them to
>> >> snoop on your browsing activity, invade your privacy, and flood you
>> >> with those horrible popups.
>> >
>> > Only, if you're using Internet Explorer. Just don't do that.
>> >
>> > Yours,
>> > VB.
>>
>> A properly configured and maintained IE is just as safe as any other browser.
>
> Wrong, it's been proven, many times, to have holes that you are unaware
> of and that remain unpatched for long periods of time. Even properly
> configured, in high-security mode, one wrong site added to your trusted
> list and you're compromised.

I'm afraid I'm going to have to side with Fuzzy on this one. Assuming
by "properly configured and maintained" he means "rendered incapable of
executing and replaced with a suitable alternative"...

Re: Spyware and Adware affect every internet user

Fuzzy Logic writes:

> A properly configured and maintained IE is just as safe as any other
> browser.

*cough* ActiveX *cough* Sure, turn off active scripting and activeX
entirely and it's relatively safe, but then again, no web sites willw
work.

Firefox by no means has a spotless security record either, but its
default configuration is a lot more secure than IE's default, and
because of open source reviewable code with a very responsive
development community bring fixes to the fore quickly, tends to have
fewer holes open for less duration than IE, even if "properly
configured."


Best Regards,
--
Todd H.
http://www.toddh.net/

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:
> A properly configured and maintained IE is just as safe as any other browser.

Unfortunately, you're wrong here. I hope, this will change.

Yours,
VB.
--
At first there was the word. And the word was Content-type: text/plain

Re: Spyware and Adware affect every internet user

Volker Birk wrote:
> Fuzzy Logic wrote:
>> A properly configured and maintained IE is just as safe as any other browser.
>
> Unfortunately, you're wrong here. I hope, this will change.

This will never change until major parts of the code are rewritten. This
was promised for IE6SP2 and IE7 but actually never happened.

Re: Spyware and Adware affect every internet user

Leythos wrote in
news:XKR3g.23456$P2.11125@tornado.ohiordc.rr.com:

> In article ,
> bob@arc.ab.caREMOVETHIS says...
>> Volker Birk wrote in
>> news:444a491d@news.uni-ulm.de:
>>
>> > vcrsoxykpgdg@yahoo.com wrote:
>> >> Spyware and Adware is software made by publishers that allow them to
>> >> snoop on your browsing activity, invade your privacy, and flood you
>> >> with those horrible popups.
>> >
>> > Only, if you're using Internet Explorer. Just don't do that.
>> >
>> > Yours,
>> > VB.
>>
>> A properly configured and maintained IE is just as safe as any other
>> browser.
>
> Wrong, it's been proven, many times, to have holes that you are unaware
> of and that remain unpatched for long periods of time. Even properly
> configured, in high-security mode, one wrong site added to your trusted
> list and you're compromised.

I would consider that an improper configuration.

Re: Spyware and Adware affect every internet user

comphelp@toddh.net (Todd H.) wrote in news:84wtdcvtr9.fsf@ripco.com:

> Fuzzy Logic writes:
>
>> A properly configured and maintained IE is just as safe as any other
>> browser.
>
> *cough* ActiveX *cough* Sure, turn off active scripting and activeX
> entirely and it's relatively safe, but then again, no web sites willw
> work.
>
> Firefox by no means has a spotless security record either, but its
> default configuration is a lot more secure than IE's default, and
> because of open source reviewable code with a very responsive
> development community bring fixes to the fore quickly, tends to have
> fewer holes open for less duration than IE, even if "properly
> configured."
>
>
> Best Regards,

I will certainly agree that the defaults in IE aren't good. We have over 600 IE users with properly locked down IE
and haven't had ANY security incidents related to the web browser in years.

Re: Spyware and Adware affect every internet user

Volker Birk wrote in news:445058d2@news.uni-ulm.de:

> Fuzzy Logic wrote:
>> A properly configured and maintained IE is just as safe as any other
>> browser.
>
> Unfortunately, you're wrong here. I hope, this will change.
>
> Yours,
> VB.

How am I wrong?

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:

> I will certainly agree that the defaults in IE aren't good. We have
> over 600 IE users with properly locked down IE and haven't had ANY
> security incidents related to the web browser in years.

You're just counting on the malicious guys being too stupid to use any
not widely published unpatched vulnerability. But there're plenty of
them[1] and some can't be worked around at all.


[1]

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:
> Volker Birk wrote in
> news:445058d2@news.uni-ulm.de:
>
>> Fuzzy Logic wrote:
>>> A properly configured and maintained IE is just as safe as any
>>> other browser.
>> Unfortunately, you're wrong here. I hope, this will change.
>>
>> Yours, VB.
>
> How am I wrong?

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:

>>> A properly configured and maintained IE is just as safe as any other
>>> browser.
>> Wrong, it's been proven, many times, to have holes that you are unaware
>> of and that remain unpatched for long periods of time. Even properly
>> configured, in high-security mode, one wrong site added to your trusted
>> list and you're compromised.
>
> I would consider that an improper configuration.

So, and how can you make useful considerations? Any website including
third-party content (like advertisement) is dangerous. Well, most web
designers use a well-known ActiveX exploit to embed Flash content!

Re: Spyware and Adware affect every internet user

Post removed (X-No-Archive: yes)

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:
> Volker Birk wrote in news:445058d2@news.uni-ulm.de:
> > Fuzzy Logic wrote:
> >> A properly configured and maintained IE is just as safe as any other
> >> browser.
> > Unfortunately, you're wrong here. I hope, this will change.
> How am I wrong?

I posted here some days ago about that topic: <443d2b05@news.uni-ulm.de>

Yours,
VB.
--
At first there was the word. And the word was Content-type: text/plain

Re: Spyware and Adware affect every internet user

Sebastian Gottschalk wrote in news:4bd1a2F10ooejU1@news.dfncis.de:

> Fuzzy Logic wrote:
>
>>>> A properly configured and maintained IE is just as safe as any other
>>>> browser.
>>> Wrong, it's been proven, many times, to have holes that you are unaware
>>> of and that remain unpatched for long periods of time. Even properly
>>> configured, in high-security mode, one wrong site added to your trusted
>>> list and you're compromised.
>>
>> I would consider that an improper configuration.
>
> So, and how can you make useful considerations? Any website including
> third-party content (like advertisement) is dangerous. Well, most web
> designers use a well-known ActiveX exploit to embed Flash content!

Don't allow ActiveX except on trusted sites (in other words configure your browser correctly).

Re: Spyware and Adware affect every internet user

Leythos wrote in news:Tec4g.21005$mh.10341@tornado.ohiordc.rr.com:

> In article ,
> bob@arc.ab.caREMOVETHIS says...
>> Leythos wrote in
>> news:XKR3g.23456$P2.11125@tornado.ohiordc.rr.com:
>>
>> > In article ,
>> > bob@arc.ab.caREMOVETHIS says...
>> >> Volker Birk wrote in
>> >> news:444a491d@news.uni-ulm.de:
>> >>
>> >> > vcrsoxykpgdg@yahoo.com wrote:
>> >> >> Spyware and Adware is software made by publishers that allow them to
>> >> >> snoop on your browsing activity, invade your privacy, and flood you
>> >> >> with those horrible popups.
>> >> >
>> >> > Only, if you're using Internet Explorer. Just don't do that.
>> >> >
>> >> > Yours,
>> >> > VB.
>> >>
>> >> A properly configured and maintained IE is just as safe as any other
>> >> browser.
>> >
>> > Wrong, it's been proven, many times, to have holes that you are unaware
>> > of and that remain unpatched for long periods of time. Even properly
>> > configured, in high-security mode, one wrong site added to your trusted
>> > list and you're compromised.
>>
>> I would consider that an improper configuration.
>
> Sorry, if you configure it as MS suggests, for high-security, it has
> been proven to be vulnerable several times in the last year alone. There
> are few things you can do to protect IE from itself when it's the code
> itself that is faulty. Not all IE faults lead to direct exposure, but
> enough of them in the last year have.

Proofs of concept are not the same as real world events. Any vulnerabilites of note have been patched before
real world exploits existed.

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:

> Don't allow ActiveX except on trusted sites

So, and what is a trusted site? Does any exist?

> (in other words configure your browser correctly).

The is no such thing like a correct MSIE configuration.

Re: Spyware and Adware affect every internet user

Sebastian Gottschalk wrote in news:4bd0olF11b8kaU1@news.dfncis.de:

> Fuzzy Logic wrote:
>
>> I will certainly agree that the defaults in IE aren't good. We have
>> over 600 IE users with properly locked down IE and haven't had ANY
>> security incidents related to the web browser in years.
>
> You're just counting on the malicious guys being too stupid to use any
> not widely published unpatched vulnerability. But there're plenty of
> them[1] and some can't be worked around at all.
>
> [1]

Well I visited the above link and it asked if I wish to save a file. I said no. Apparently I worked around it?

Security is a process not a piece fo software or hardware. What's 'secure' today can be rendered totally
insecure the next when a new 'critical' vulnerability is discovered. Regardless of the OS or browser you use
there are and will be vulnerabilities. It's always a moving target and to say that A is more secure than B may
only be true at a single point in time and then the table could promptly turn as a new vulnerability is discovered.
The best you can do is find well supported OS/browser YOU like, learn and use it's security features, keep it
patched and up to date, practice safe surfing and be diligent and you will likely be as 'secure' as you can be.

Re: Spyware and Adware affect every internet user

Sebastian Gottschalk wrote in news:4bd0tqF11b8kaU2@news.dfncis.de:

> Fuzzy Logic wrote:
>> Volker Birk wrote in
>> news:445058d2@news.uni-ulm.de:
>>
>>> Fuzzy Logic wrote:
>>>> A properly configured and maintained IE is just as safe as any
>>>> other browser.
>>> Unfortunately, you're wrong here. I hope, this will change.
>>>
>>> Yours, VB.
>>
>> How am I wrong?
>
>
>

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:

> Proofs of concept are not the same as real world events. Any
> vulnerabilites of note have been patched before real world exploits
> existed.

And what's about those 50+ still unpatched vulnerabilities?

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:

> Interesting...your point?

- unpatched vulnerability
- allows remote code execution
- no configuration possibility, no workaround

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:

>> [1]
>
> Well I visited the above link and it asked if I wish to save a file.
> I said no. Apparently I worked around it?

No. IE is too stupid to recognize the correct MIME type
application/xhtml+xml for XHTML content (which might be related that
this MIME type was added after the release of IE6 Gold) and therefore
offers a download - viewing it locally works fine.
I'm not operating the server so I can't enforce the compatibility MIME
type text/xml (which is correct as well but deprecated), but what you
can do is adding the other MIME to your IE configuration - and it will
work as well. Microsoft is obviously unwilling to do so, even though
ASP.NET uses the new MIME type by default.

And yes, I'm aware of the irony that an IE user can't learn about the
vulnerabilities that well. But as IE isn't suitable as a webbrowser
anyway, who cares?

> Security is a process not a piece fo software or hardware. What's
> 'secure' today can be rendered totally insecure the next when a new
> 'critical' vulnerability is discovered.

Fine, but MSIE is insecure by design. It will always be insecure no
matter how much you patch. And Microsoft stopped patching certain
critical vulnerabilities back in April '03!

> The best you can do is find
> well supported OS/browser YOU like, learn and use it's security
> features, keep it patched and up to date, practice safe surfing and
> be diligent and you will likely be as 'secure' as you can be.

Fine, but MSIE has never been designed to be used on any untrusted network.

Re: Spyware and Adware affect every internet user

Post removed (X-No-Archive: yes)

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:
> Proofs of concept are not the same as real world events.

No, they aren't. They just proof, that real world events may occur. And
that means, that you're not secure against such events.

> Any vulnerabilites of note have been patched before
> real world exploits existed.

In Internet Exploder? It's obvious, that you just don't know what you're
writing about.

Yours,
VB.
--
At first there was the word. And the word was Content-type: text/plain

Re: Spyware and Adware affect every internet user

Sebastian Gottschalk wrote in news:4bfd7iF112o9vU1@news.dfncis.de:

> Fuzzy Logic wrote:
>
>> Don't allow ActiveX except on trusted sites
>
> So, and what is a trusted site? Does any exist?

I have none.

>> (in other words configure your browser correctly).
>
> The is no such thing like a correct MSIE configuration.

So YOU say. I would argue there is.

Re: Spyware and Adware affect every internet user

Sebastian Gottschalk wrote in news:4bfdevF11e56fU1@news.dfncis.de:

> Fuzzy Logic wrote:
>
>> Proofs of concept are not the same as real world events. Any
>> vulnerabilites of note have been patched before real world exploits
>> existed.
>
> And what's about those 50+ still unpatched vulnerabilities?

Apparently no one has figured out how to use them. Many are so obscure that they require a precise
sequence of events that are very unlikely to happen in the real world.

Re: Spyware and Adware affect every internet user

Leythos wrote in
news:p1z4g.21247$mh.11318@tornado.ohiordc.rr.com:

> In article ,
> bob@arc.ab.caREMOVETHIS says...
>> > Sorry, if you configure it as MS suggests, for high-security, it has
>> > been proven to be vulnerable several times in the last year alone.
>> > There are few things you can do to protect IE from itself when it's
>> > the code itself that is faulty. Not all IE faults lead to direct
>> > exposure, but enough of them in the last year have.
>>
>> Proofs of concept are not the same as real world events. Any
>> vulnerabilites of note have been patched before real world exploits
>> existed.
>
> are you Nuts? There are often times when an exploit goes public and the
> patch has not been released.

Not very often and you need to visit a specially crafted web site. In reality the risk is VERY low.

Re: Spyware and Adware affect every internet user

Volker Birk wrote in news:44536b02@news.uni-ulm.de:

> Fuzzy Logic wrote:
>> Proofs of concept are not the same as real world events.
>
> No, they aren't. They just proof, that real world events may occur. And
> that means, that you're not secure against such events.
>
>> Any vulnerabilites of note have been patched before
>> real world exploits existed.
>
> In Internet Exploder? It's obvious, that you just don't know what you're
> writing about.
>
> Yours,
> VB.

Feel free to supply references that contradict me.

Re: Spyware and Adware affect every internet user

Sebastian Gottschalk wrote in news:4bfe90F11fg36U1@news.dfncis.de:

> Fuzzy Logic wrote:
>
>>> [1]
>>
>> Well I visited the above link and it asked if I wish to save a file.
>> I said no. Apparently I worked around it?
>
> No. IE is too stupid to recognize the correct MIME type
> application/xhtml+xml for XHTML content (which might be related that
> this MIME type was added after the release of IE6 Gold) and therefore
> offers a download - viewing it locally works fine.
> I'm not operating the server so I can't enforce the compatibility MIME
> type text/xml (which is correct as well but deprecated), but what you
> can do is adding the other MIME to your IE configuration - and it will
> work as well. Microsoft is obviously unwilling to do so, even though
> ASP.NET uses the new MIME type by default.
>
> And yes, I'm aware of the irony that an IE user can't learn about the
> vulnerabilities that well. But as IE isn't suitable as a webbrowser
> anyway, who cares?

Apparently you do. I've been using it for years without a single incident.

>> Security is a process not a piece fo software or hardware. What's
>> 'secure' today can be rendered totally insecure the next when a new
>> 'critical' vulnerability is discovered.
>
> Fine, but MSIE is insecure by design. It will always be insecure no
> matter how much you patch. And Microsoft stopped patching certain
> critical vulnerabilities back in April '03!

So you're saying Microsoft (or any other software company) intentionally writes insecure software?

>> The best you can do is find
>> well supported OS/browser YOU like, learn and use it's security
>> features, keep it patched and up to date, practice safe surfing and
>> be diligent and you will likely be as 'secure' as you can be.
>
> Fine, but MSIE has never been designed to be used on any untrusted network.

So YOU say. Regardless of the browser you use it will have vulnerabilities.

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:

>> And yes, I'm aware of the irony that an IE user can't learn about the
>> vulnerabilities that well. But as IE isn't suitable as a webbrowser
>> anyway, who cares?
>
> Apparently you do. I've been using it for years without a single incident.

But you're aware that this is dedicated either to luck or being unable
to recognize the problem? I just remember a cracked adserver serving a
trojan horse exploiting a formerly unpatched vulnerability...

>> Fine, but MSIE is insecure by design. It will always be insecure no
>> matter how much you patch. And Microsoft stopped patching certain
>> critical vulnerabilities back in April '03!
>
> So you're saying Microsoft (or any other software company)
> intentionally writes insecure software?

In case of IE: probably yes. I guess they've bet on being able to take
over the WWW before the big issues emerge.

>>> The best you can do is find
>>> well supported OS/browser YOU like, learn and use it's security
>>> features, keep it patched and up to date, practice safe surfing and
>>> be diligent and you will likely be as 'secure' as you can be.
>> Fine, but MSIE has never been designed to be used on any untrusted network.
>
> So YOU say. Regardless of the browser you use it will have vulnerabilities.

No, there are numerous _design_ errors that make it unsuitable.

One good example is the cross-site/domain policy in JavaScript. As the
security researcher Liu Die Yu pointed out [1], the implementation is
based on a script from a trusted server enforcing access denial from
untrusted servers, but there's no protection from scripts from untrusted
servers accessing trusted zones.

Gregor Guninski pointed out that ActiveX is also a design error: What if
a vendor has shipped a signed defective (read: exploitable) ActiveX
control, but has some important software bind to exactly that version
and revoking it (with the use of a CRL) would break that software?
And well, this happened: MS Office Web Control 10 [2]
Means: Every ActiveX control, even when preinstalled, is evil. Always.
Just not counting many other ActiveX issues (like autoloading, install
redirection and invokation side-effects).

And there're many other issues [3] that cross-site scripting and
spoofing actually are features than vulnerabilities. And I still didn't
include the even worse flaws of versions prior to IE6SP2. (F.e. it's no
problem to move an image over both the address bar and a download dialogue!)

[1] http://www.safecenter.net/crosszone/ie/SaveRef.htm
[2] http://www.guninski.com/signedactivex2.html
[3] http://web.inf.tu-dresden.de/~s9053014/iesec.xhtml

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:
> Sebastian Gottschalk wrote in news:4bfd7iF112o9vU1@news.dfncis.de:
>
>> Fuzzy Logic wrote:
>>
>>> Don't allow ActiveX except on trusted sites
>> So, and what is a trusted site? Does any exist?
>
> I have none.
>
>>> (in other words configure your browser correctly).
>> The is no such thing like a correct MSIE configuration.
>
> So YOU say. I would argue there is.

Point me to a configuration that protects against unpatched boundary
errors in the CSS parser/interpreter.

ff.

And no, supplying a user stylesheet doesn't work either. :-(

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:
> Sebastian Gottschalk wrote in news:4bfdevF11e56fU1@news.dfncis.de:
>
>> Fuzzy Logic wrote:
>>
>>> Proofs of concept are not the same as real world events. Any
>>> vulnerabilites of note have been patched before real world exploits
>>> existed.
>> And what's about those 50+ still unpatched vulnerabilities?
>
> Apparently no one has figured out how to use them. Many are so obscure that they require a precise
> sequence of events that are very unlikely to happen in the real world.

Nice exploit code at
. Have phun!

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:

>> are you Nuts? There are often times when an exploit goes public and
>> the patch has not been released.
>
> Not very often and you need to visit a specially crafted web site. In
> reality the risk is VERY low.

Ehm... have you been sleeping when someone hijacked the server of
advertiser FalkAG to spread IE trojans over many usually harmless and
trusted big websites like NYTimes, Slashdot and even Yahoo? Still
dizzing when some company bought some adspace from Google Ads for
spreading WMF images?
There is no such thing like avoiding dangerous websites.

In Soviet Russia, websites are browsing at you !!!11

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:
> > And what's about those 50+ still unpatched vulnerabilities?
> Apparently no one has figured out how to use them.

You're getting ridiculous. How to use it is what we call an exploit.

Yours,
VB.
--
At first there was the word. And the word was Content-type: text/plain

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:
> >> Any vulnerabilites of note have been patched before
> >> real world exploits existed.
> > In Internet Exploder? It's obvious, that you just don't know what you're
> > writing about.
> Feel free to supply references that contradict me.

I already offered them, as you know.

But: this is getting boring. I will drop this useless "discussion".

Yours,
VB.
--
At first there was the word. And the word was Content-type: text/plain

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:
> > But as IE isn't suitable as a webbrowser
> > anyway, who cares?
> Apparently you do. I've been using it for years without a single incident.

Without a single incident you realized ;-)

> So you're saying Microsoft (or any other software company) intentionally
> writes insecure software?

This is a good question. For a long time, I had the feeling, they just
don't care. In this meaning: yes. In the meanwhile, they seem to care.
But there are other, sometimes more important decisions (from
Microsoft's view), which seem to contradict security from time to time.
In this meaning: yes, even now.

Yours,
VB.
--
At first there was the word. And the word was Content-type: text/plain

Re: Spyware and Adware affect every internet user

Sebastian Gottschalk wrote in
news:4bni9uF12ds9iU2@news.dfncis.de:

> Fuzzy Logic wrote:
>> Sebastian Gottschalk wrote in
>> news:4bfd7iF112o9vU1@news.dfncis.de:
>>
>>> Fuzzy Logic wrote:
>>>
>>>> Don't allow ActiveX except on trusted sites
>>> So, and what is a trusted site? Does any exist?
>>
>> I have none.
>>
>>>> (in other words configure your browser correctly).
>>> The is no such thing like a correct MSIE configuration.
>>
>> So YOU say. I would argue there is.
>
> Point me to a configuration that protects against unpatched boundary
> errors in the CSS parser/interpreter.
>
> ff.
>
> And no, supplying a user stylesheet doesn't work either. :-(

Accessing that page simply gives me a save file dialog? Browser doesn't crash. I simply say Cancel and
continue on my way.

Re: Spyware and Adware affect every internet user

Sebastian Gottschalk wrote in
news:4bnibjF12ds9iU3@news.dfncis.de:

> Fuzzy Logic wrote:
>> Sebastian Gottschalk wrote in
>> news:4bfdevF11e56fU1@news.dfncis.de:
>>
>>> Fuzzy Logic wrote:
>>>
>>>> Proofs of concept are not the same as real world events. Any
>>>> vulnerabilites of note have been patched before real world exploits
>>>> existed.
>>> And what's about those 50+ still unpatched vulnerabilities?
>>
>> Apparently no one has figured out how to use them. Many are so obscure
>> that they require a precise sequence of events that are very unlikely
>> to happen in the real world.
>
> Nice exploit code at
>. Have phun!
>

I am prompted to save a file. I declined and continued on my way!

Re: Spyware and Adware affect every internet user

Volker Birk wrote in news:445707a0@news.uni-ulm.de:

> Fuzzy Logic wrote:
>> > And what's about those 50+ still unpatched vulnerabilities?
>> Apparently no one has figured out how to use them.
>
> You're getting ridiculous. How to use it is what we call an exploit.
>
> Yours,
> VB.

Many exploites require a precise set of circumstances requiring a user to visit a specially crafted website and
doing something specific when they get there. They are usually so obscure that in reality they pose no REAL
threat. Kind of like a plane engine falling on your head. It's possible but very unlikely.

Re: Spyware and Adware affect every internet user

Sebastian Gottschalk wrote in news:4bnijkF11lv06U1@news.dfncis.de:

> Fuzzy Logic wrote:
>
>>> are you Nuts? There are often times when an exploit goes public and
>>> the patch has not been released.
>>
>> Not very often and you need to visit a specially crafted web site. In
>> reality the risk is VERY low.
>
> Ehm... have you been sleeping when someone hijacked the server of
> advertiser FalkAG to spread IE trojans over many usually harmless and
> trusted big websites like NYTimes, Slashdot and even Yahoo? Still
> dizzing when some company bought some adspace from Google Ads for
> spreading WMF images?
> There is no such thing like avoiding dangerous websites.

Anyone with XP SP2 was immune to this.

> In Soviet Russia, websites are browsing at you !!!11

Good for them.

Re: Spyware and Adware affect every internet user

Sebastian Gottschalk wrote in
news:4bni0hF12ds9iU1@news.dfncis.de:

> Fuzzy Logic wrote:
>
>>> And yes, I'm aware of the irony that an IE user can't learn about the
>>> vulnerabilities that well. But as IE isn't suitable as a webbrowser
>>> anyway, who cares?
>>
>> Apparently you do. I've been using it for years without a single
>> incident.
>
> But you're aware that this is dedicated either to luck or being unable
> to recognize the problem? I just remember a cracked adserver serving a
> trojan horse exploiting a formerly unpatched vulnerability...

Anyone with XP SP2 was immune.

>>> Fine, but MSIE is insecure by design. It will always be insecure no
>>> matter how much you patch. And Microsoft stopped patching certain
>>> critical vulnerabilities back in April '03!
>>
>> So you're saying Microsoft (or any other software company)
>> intentionally writes insecure software?
>
> In case of IE: probably yes. I guess they've bet on being able to take
> over the WWW before the big issues emerge.
>
>>>> The best you can do is find
>>>> well supported OS/browser YOU like, learn and use it's security
>>>> features, keep it patched and up to date, practice safe surfing and
>>>> be diligent and you will likely be as 'secure' as you can be.
>>> Fine, but MSIE has never been designed to be used on any untrusted
>>> network.
>>
>> So YOU say. Regardless of the browser you use it will have
>> vulnerabilities.
>
> No, there are numerous _design_ errors that make it unsuitable.
>
> One good example is the cross-site/domain policy in JavaScript. As the
> security researcher Liu Die Yu pointed out [1], the implementation is
> based on a script from a trusted server enforcing access denial from
> untrusted servers, but there's no protection from scripts from untrusted
> servers accessing trusted zones.

Turn off scripting if you are concerned or change the security level for it.

> Gregor Guninski pointed out that ActiveX is also a design error: What if
> a vendor has shipped a signed defective (read: exploitable) ActiveX
> control, but has some important software bind to exactly that version
> and revoking it (with the use of a CRL) would break that software?
> And well, this happened: MS Office Web Control 10 [2]
> Means: Every ActiveX control, even when preinstalled, is evil. Always.
> Just not counting many other ActiveX issues (like autoloading, install
> redirection and invokation side-effects).

Don't run ActiveX if you are concerned or configure it for sites that really require it.

> And there're many other issues [3] that cross-site scripting and
> spoofing actually are features than vulnerabilities. And I still didn't
> include the even worse flaws of versions prior to IE6SP2. (F.e. it's no
> problem to move an image over both the address bar and a download
> dialogue!

I am talking about a properly maintained and up to date system. This means XP SP2 and all updates installed.

> [1] http://www.safecenter.net/crosszone/ie/SaveRef.htm
> [2] http://www.guninski.com/signedactivex2.html
> [3] http://web.inf.tu-dresden.de/~s9053014/iesec.xhtml

Regardless of the browser you use there will be vulnerabilties/risks. If you don't like IE or feel it's unsafe
then don't. Here's a good read if you think switching to Firefox will somehow make your life better:

http://mywebpages.comcast.net/SupportCD/FirefoxMyths.html

Re: Spyware and Adware affect every internet user

Volker Birk wrote in news:445708cd@news.uni-ulm.de:

> Fuzzy Logic wrote:
>> > But as IE isn't suitable as a webbrowser
>> > anyway, who cares?
>> Apparently you do. I've been using it for years without a single incident.
>
> Without a single incident you realized ;-)

I do regular scans for viruses, spyware etc. and have never found anything (not even a malicious cookie).

>> So you're saying Microsoft (or any other software company) intentionally
>> writes insecure software?
>
> This is a good question. For a long time, I had the feeling, they just
> don't care. In this meaning: yes. In the meanwhile, they seem to care.
> But there are other, sometimes more important decisions (from
> Microsoft's view), which seem to contradict security from time to time.
> In this meaning: yes, even now.
>
> Yours,
> VB.

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:

>>>> The is no such thing like a correct MSIE configuration.
>>> So YOU say. I would argue there is.
>> Point me to a configuration that protects against unpatched boundary
>> errors in the CSS parser/interpreter.
>>
>> ff.
>>
>> And no, supplying a user stylesheet doesn't work either. :-(
>
> Accessing that page simply gives me a save file dialog?

Yes I know. IE doesn't recognize the application/xhtml+xml MIME type
correctly, which is a well-known problem. What about using a real
webbrowser?

> Browser doesn't crash. I simply say Cancel and continue on my way.

Ehm... you should _read_ this website (and get it to read first),
copy&paste the exploit code into a file and open it in IE (doesn't
matter if locally or remote).

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:

> Many exploites require a precise set of circumstances requiring a
> user to visit a specially crafted website

No problem, just buy some adspace from a well-known company.

> and doing something specific when they get there.

No. Most recent unpatched exploits don't require user interaction,
beside that a lot of common user interaction can be made pretty
plausible (f.e. they will scroll a long pr0n website and click the
"next" button).

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:
> Sebastian Gottschalk wrote in news:4bnijkF11lv06U1@news.dfncis.de:
>
>> Fuzzy Logic wrote:
>>
>>>> are you Nuts? There are often times when an exploit goes public and
>>>> the patch has not been released.
>>> Not very often and you need to visit a specially crafted web site. In
>>> reality the risk is VERY low.
>> Ehm... have you been sleeping when someone hijacked the server of
>> advertiser FalkAG to spread IE trojans over many usually harmless and
>> trusted big websites like NYTimes, Slashdot and even Yahoo? Still
>> dizzing when some company bought some adspace from Google Ads for
>> spreading WMF images?
>> There is no such thing like avoiding dangerous websites.
>
> Anyone with XP SP2 was immune to this.

Ehm, no? Beside that, where is IE6SP2 for Win2K?

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:

>> But you're aware that this is dedicated either to luck or being
>> unable to recognize the problem? I just remember a cracked adserver
>> serving a trojan horse exploiting a formerly unpatched
>> vulnerability...
>
> Anyone with XP SP2 was immune.

Not right.

> Turn off scripting if you are concerned or change the security level
> for it.

Basically you have to turn it off forever and never turn it on again.

> Don't run ActiveX if you are concerned or configure it for sites that
> really require it.

There's no way to turn of passive ActiveX control invokation without
putting some nifty killbits (which cannot be done with the configuration
dialogue).

> I am talking about a properly maintained and up to date system. This
> means XP SP2 and all updates installed.

Yes, that's what I'm talking about too and that's what "unpatched"
means: There doesn't exist any patch.
And for some, there doesn't exist any workaround either.

> Regardless of the browser you use there will be vulnerabilties/risks.

Why do you think so? And do you understand the difference between
systematic and random errors?

> If you don't like IE or feel it's unsafe then don't. Here's a good
> read if you think switching to Firefox will somehow make your life
> better:
>
> http://mywebpages.comcast.net/SupportCD/FirefoxMyths.html

Yes, I already pointed out a big load of errors on this website, but the
maintainer isn't interested in both facts and arguments but just his big
ego.

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:

>>>> But as IE isn't suitable as a webbrowser anyway, who cares?
>>> Apparently you do. I've been using it for years without a single
>>> incident.
>> Without a single incident you realized ;-)
>
> I do regular scans for viruses, spyware etc. and have never found
> anything (not even a malicious cookie).

means: you don't have any real proof, but just a lack of positive
evidence. BTST too often on compromised system (can you say 'rootkit'?).

What about checksums of important system and configuration files,
auditing logs and verifications?

Re: Spyware and Adware affect every internet user

Sebastian Gottschalk wrote in news:4bpupeF12mq8gU1@news.dfncis.de:

> Fuzzy Logic wrote:
>
>>>>> The is no such thing like a correct MSIE configuration.
>>>> So YOU say. I would argue there is.
>>> Point me to a configuration that protects against unpatched boundary
>>> errors in the CSS parser/interpreter.
>>>
>>> ff.
>>>
>>> And no, supplying a user stylesheet doesn't work either. :-(
>>
>> Accessing that page simply gives me a save file dialog?
>
> Yes I know. IE doesn't recognize the application/xhtml+xml MIME type
> correctly, which is a well-known problem. What about using a real
> webbrowser?

What would that be?

>> Browser doesn't crash. I simply say Cancel and continue on my way.
>
> Ehm... you should _read_ this website (and get it to read first),
> copy&paste the exploit code into a file and open it in IE (doesn't
> matter if locally or remote).

Sounds like a lot of work to see if some exploit code will run in my browser. As I said before many of the
unpatched ones require handstands and cartwheels for them to actually work.

Re: Spyware and Adware affect every internet user

Sebastian Gottschalk wrote in
news:4bpuvpF12mq8gU3@news.dfncis.de:

> Fuzzy Logic wrote:
>> Sebastian Gottschalk wrote in
>> news:4bnijkF11lv06U1@news.dfncis.de:
>>
>>> Fuzzy Logic wrote:
>>>
>>>>> are you Nuts? There are often times when an exploit goes public and
>>>>> the patch has not been released.
>>>> Not very often and you need to visit a specially crafted web site. In
>>>> reality the risk is VERY low.
>>> Ehm... have you been sleeping when someone hijacked the server of
>>> advertiser FalkAG to spread IE trojans over many usually harmless and
>>> trusted big websites like NYTimes, Slashdot and even Yahoo? Still
>>> dizzing when some company bought some adspace from Google Ads for
>>> spreading WMF images?
>>> There is no such thing like avoiding dangerous websites.
>>
>> Anyone with XP SP2 was immune to this.
>
> Ehm, no? Beside that, where is IE6SP2 for Win2K?

Actually XP SP2 was immune. I can't recall what the status was for Win2K.

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:

>>> Accessing that page simply gives me a save file dialog?
>> Yes I know. IE doesn't recognize the application/xhtml+xml MIME
>> type correctly, which is a well-known problem. What about using a
>> real webbrowser?
>
> What would that be?

A program that doesn't transform into a local shell when typing "C:" in
the address bar (and thereby proofing that is has a big problem with
context separation).
Mozilla, Opera, Konqueror, Safari, Links2 or even good'ol Mosaic...

>>> Browser doesn't crash. I simply say Cancel and continue on my
>>> way.
>> Ehm... you should _read_ this website (and get it to read first),
>> copy&paste the exploit code into a file and open it in IE (doesn't
>> matter if locally or remote).
>
> Sounds like a lot of work to see if some exploit code will run in my
> browser. As I said before many of the unpatched ones require
> handstands and cartwheels for them to actually work.

This code is intentionally displayed in clear to actually point at the
problem (in this case: a problem with parsing certain pseudo classes)
for research and documentation purpose.

It's absolutely no problem to put it into a non-escaped active context
making your IE crash or even execute remote code.

And most likely I will do so when reworking the page next time, while
also remove the patched onload=window() stuff and adding some more
unpatched stuff, detailed documentation (like code disassembly where
applicable) and a hilarious spoofing demo (combining certain issues in a
more impressive way).

Re: Spyware and Adware affect every internet user

Sebastian Gottschalk wrote in news:4bpva3F128jrlU1@news.dfncis.de:

> Fuzzy Logic wrote:
>
>>> But you're aware that this is dedicated either to luck or being
>>> unable to recognize the problem? I just remember a cracked adserver
>>> serving a trojan horse exploiting a formerly unpatched
>>> vulnerability...
>>
>> Anyone with XP SP2 was immune.
>
> Not right.

Feel free to supply links that are contrary to this.

>> Turn off scripting if you are concerned or change the security level
>> for it.
>
> Basically you have to turn it off forever and never turn it on again.

Or properly configure zones.

>> Don't run ActiveX if you are concerned or configure it for sites that
>> really require it.
>
> There's no way to turn of passive ActiveX control invokation without
> putting some nifty killbits (which cannot be done with the configuration
> dialogue).

Remove the ActiveX control if you are truly paranoid.

>> I am talking about a properly maintained and up to date system. This
>> means XP SP2 and all updates installed.
>
> Yes, that's what I'm talking about too and that's what "unpatched"
> means: There doesn't exist any patch.
> And for some, there doesn't exist any workaround either.

Unpatched is not the same as no patch available in my books. Unpatched means a patch exits but hasn't
been applied. Currently unpatched 'vulnerabilities' are so obscure that no one has found a way to exploit
them in the real world.

>> Regardless of the browser you use there will be vulnerabilties/risks.
>
> Why do you think so? And do you understand the d2ifference between
> systematic and random errors?

Irrelevant. I'm positive that any current web browser will have a security related patch before the year is
out.

>> If you don't like IE or feel it's unsafe then don't. Here's a good
>> read if you think switching to Firefox will somehow make your life
>> better:
>>
>> http://mywebpages.comcast.net/SupportCD/FirefoxMyths.html
>
> Yes, I already pointed out a big load of errors on this website, but the
> maintainer isn't interested in both facts and arguments but just his big
> ego

Wait a minute I think you are talking about yourself.

Re: Spyware and Adware affect every internet user

Sebastian Gottschalk wrote in news:4bpve3F128jrlU2@news.dfncis.de:

> Fuzzy Logic wrote:
>
>>>>> But as IE isn't suitable as a webbrowser anyway, who cares?
>>>> Apparently you do. I've been using it for years without a single
>>>> incident.
>>> Without a single incident you realized ;-)
>>
>> I do regular scans for viruses, spyware etc. and have never found
>> anything (not even a malicious cookie).
>
> means: you don't have any real proof, but just a lack of positive
> evidence. BTST too often on compromised system (can you say 'rootkit'?).
>
> What about checksums of important system and configuration files,
> auditing logs and verifications?

I can only assume you are extremely paranoid and do this on a regular basis on your system?

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:

>>>> Ehm... have you been sleeping when someone hijacked the server of
>>>> advertiser FalkAG to spread IE trojans over many usually harmless and
>>>> trusted big websites like NYTimes, Slashdot and even Yahoo? Still
>>>> dizzing when some company bought some adspace from Google Ads for
>>>> spreading WMF images?
>>>> There is no such thing like avoiding dangerous websites.
>>> Anyone with XP SP2 was immune to this.
>> Ehm, no? Beside that, where is IE6SP2 for Win2K?
>
> Actually XP SP2 was immune.

XPSP2 was not vulnerable to the IFrame problem, but to the WMF exploit.

> I can't recall what the status was for Win2K.

Uhm... dead? sent with a Content-Type: audio/aiff will
instantly execute the binary?

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:

>>>> But you're aware that this is dedicated either to luck or being
>>>> unable to recognize the problem? I just remember a cracked
>>>> adserver serving a trojan horse exploiting a formerly unpatched
>>>> vulnerability...
>>> Anyone with XP SP2 was immune.
>> Not right.
>
> Feel free to supply links that are contrary to this.

Sorry, mixed it up. The WMF exploit was spread via adspace that has
been legally bought instead of illegally aquired. Which is better how much?

>>> Turn off scripting if you are concerned or change the security
>>> level for it.
>> Basically you have to turn it off forever and never turn it on
>> again.
>
> Or properly configure zones.

Ehm, no. Zones don't work, that's exactly the point of the issue.

>>> Don't run ActiveX if you are concerned or configure it for sites
>>> that really require it.
>> There's no way to turn of passive ActiveX control invokation
>> without putting some nifty killbits (which cannot be done with the
>> configuration dialogue).
>
> Remove the ActiveX control if you are truly paranoid.

On Win9x this actually worked and only broke some crappy software. Do
this on Win2K or higher and you're about to remove at least 40% of the
entire system binaries...

> Unpatched is not the same as no patch available in my books.
> Unpatched means a patch exits but hasn't been applied.

Update your books, you're twisting client-side and vendor-side
terminilogy. When some vulnerability is unpatched by the vendor, then
because no patch exists.

> Currently unpatched 'vulnerabilities' are so obscure that no one has
> found a way to exploit them in the real world.

No, just that the vendor too incompetent to understand the
vulnerability. BTST too often, especially with Microsoft on IE.

>>> Regardless of the browser you use there will be
>>> vulnerabilties/risks.
>> Why do you think so? And do you understand the difference between
>> systematic and random errors?
>
> Irrelevant. I'm positive that any current web browser will have a
> security related patch before the year is out.

I'm still looking forward for a vulnerability in my secure configuration
of Firefox (which has JavaScript enabled BTW). As far as Bugzilla and
certain security vendor tell there has been no security issues that
applied to my configuration since Firebird 0.9 (!), so I've worked
around it / hardened before discovery of the problem. The only issue in
Firebird 0.8 was a memory leak in JavaScript's RegExp object
implementation, so no big problem either. Firebird 0.6 certain was
exploitable.

However, even when your prediction is wrong, then IE will remain
unfixed for seemingly forever so being the worst choice. Well, random
errors can be fixed, worked around or avoided - design errors cannot

>>> If you don't like IE or feel it's unsafe then don't. Here's a
>>> good read if you think switching to Firefox will somehow make
>>> your life better:
>>>
>>> http://mywebpages.comcast.net/SupportCD/FirefoxMyths.html
>> Yes, I already pointed out a big load of errors on this website,
>> but the maintainer isn't interested in both facts and arguments but
>> just his big ego
>
> Wait a minute I think you are talking about yourself.

Want to start over with a discussion about the errors of this website
and how mitigating issues makes it even dumber? Actually this would be
waste because there're more wrong than true statements.

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:

>> means: you don't have any real proof, but just a lack of positive
>> evidence. BTST too often on compromised system (can you say
>> 'rootkit'?).
>>
>> What about checksums of important system and configuration files,
>> auditing logs and verifications?
>
> I can only assume you are extremely paranoid and do this on a regular
> basis on your system?

This is not paranoid, this is a management issue.

What exactly is the problem of typing "ha -c & ha -e & cmp sha1sum.txt
\backup\sha1sum.txt"? Verifies all files for SHA1 checksum stored in
NTFS Alternate Data Streams on ReiserFS Metadata, exports the list and
verifies against changes in that list to a backup?

Reading the Syslog is a simple general management issue, and
verification boils down to knowing your common process list. Anything
else is already regarded by running as a restricted user.

And well, not just for security but also for reliability and safety
against random or user-inducted errors.

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:
> Sounds like a lot of work to see if some exploit code will run in my browser. As I said before many of the
> unpatched ones require handstands and cartwheels for them to actually work.

You just don't understand the idea of a proof-of-concept:

http://en.wikipedia.org/wiki/Proof_of_concept

Yours,
VB.
--
At first there was the word. And the word was Content-type: text/plain

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:
> In reality the risk is VERY low.

Your security ideas are comparable to the behaviour of an ostrich facing
danger.

Good luck with that.

Yours,
VB.
--
At first there was the word. And the word was Content-type: text/plain

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:
> >> > But as IE isn't suitable as a webbrowser
> >> > anyway, who cares?
> >> Apparently you do. I've been using it for years without a single incident.
> > Without a single incident you realized ;-)
> I do regular scans for viruses, spyware etc. and have never found anything

Yes. This is what I'm saying.

> (not even a malicious cookie).

What is a "malicious cookie"?

Yours,
VB.
--
At first there was the word. And the word was Content-type: text/plain

Re: Spyware and Adware affect every internet user

Volker Birk wrote:
> Fuzzy Logic wrote:
>>>>> But as IE isn't suitable as a webbrowser
>>>>> anyway, who cares?
>>>> Apparently you do. I've been using it for years without a single incident.
>>> Without a single incident you realized ;-)
>> I do regular scans for viruses, spyware etc. and have never found anything
>
> Yes. This is what I'm saying.
>
>> (not even a malicious cookie).
>
> What is a "malicious cookie"?

Supposedly a cookie with the domain attribute set, which can be used to
transfer state beyond domain borders. A common tracking technique used
by almost all big web advertisement companies since more than 10 years.
For the better, Microsoft recently patented it. [1]

Of course this is totally stupid if you configure your webbrowser to not
interpret the domain attribute and therefore keeping the tracking local
(which is possible anyway without any cookies at all). About any
webbrowser under the sun has this disabled by default, and even IE and
has is disabled for anything but websites which regard themselves
trusted according to their P3P policy (which, of course, can be dishonest).

No matter what, most scanners don't pay any respect to the browser
settings and also report any such cookies whether or not it's actually
suitable or intended for tracking.

[1]

Re: Spyware and Adware affect every internet user

Sebastian Gottschalk wrote in news:4bq63eF12dqtnU1@news.dfncis.de:

> Fuzzy Logic wrote:
>
>>> means: you don't have any real proof, but just a lack of positive
>>> evidence. BTST too often on compromised system (can you say
>>> 'rootkit'?).
>>>
>>> What about checksums of important system and configuration files,
>>> auditing logs and verifications?
>>
>> I can only assume you are extremely paranoid and do this on a regular
>> basis on your system?
>
> This is not paranoid, this is a management issue.

Maybe if you work for the military. 99.999999% of computers users will never do this.

> What exactly is the problem of typing "ha -c & ha -e & cmp sha1sum.txt
> \backup\sha1sum.txt"? Verifies all files for SHA1 checksum stored in
> NTFS Alternate Data Streams on ReiserFS Metadata, exports the list and
> verifies against changes in that list to a backup?
>
> Reading the Syslog is a simple general management issue, and
> verification boils down to knowing your common process list. Anything
> else is already regarded by running as a restricted user.

I regularily monitor logs and process.

> And well, not just for security but also for reliability and safety
> against random or user-inducted errors.

Re: Spyware and Adware affect every internet user

Sebastian Gottschalk wrote in news:4bq5ogF121a1tU1@news.dfncis.de:

>> Irrelevant. I'm positive that any current web browser will have a
>> security related patch before the year is out.
>
> I'm still looking forward for a vulnerability in my secure configuration
> of Firefox (which has JavaScript enabled BTW). As far as Bugzilla and
> certain security vendor tell there has been no security issues that
> applied to my configuration since Firebird 0.9 (!), so I've worked
> around it / hardened before discovery of the problem. The only issue in
> Firebird 0.8 was a memory leak in JavaScript's RegExp object
> implementation, so no big problem either. Firebird 0.6 certain was
> exploitable.

So lyou are running the totally 'secure' version of Firefox 1.5.0.2

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:

>> I'm still looking forward for a vulnerability in my secure configuration
>> of Firefox (which has JavaScript enabled BTW). As far as Bugzilla and
>> certain security vendor tell there has been no security issues that
>> applied to my configuration since Firebird 0.9 (!), so I've worked
>> around it / hardened before discovery of the problem. The only issue in
>> Firebird 0.8 was a memory leak in JavaScript's RegExp object
>> implementation, so no big problem either. Firebird 0.6 certain was
>> exploitable.
>
> So lyou are running the totally 'secure' version of Firefox 1.5.0.2

I had been running a totally 'secure' Firefox 1.5.0.2 before I updated
to 1.5.0.3 two days ago. JavaScript Security Policies in Mozilla are a
damn fine thing.

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:

>>>> What about checksums of important system and configuration files,
>>>> auditing logs and verifications?
>>> I can only assume you are extremely paranoid and do this on a regular
>>> basis on your system?
>> This is not paranoid, this is a management issue.
>
> Maybe if you work for the military.

Eh, lol? Just show me one serious administrator who doesn't read
logfiles. Or creates checked backups.

> 99.999999% of computers users will never do this.

90% are dumb anyway when it comes to computers.

> I regularily monitor logs and process.

Ah, finally you're getting serious.
And if you were reading BugTraq then you'd also get a very bad feeling
about using IE.

Re: Spyware and Adware affect every internet user

Sebastian Gottschalk wrote in news:4bq5ogF121a1tU1@news.dfncis.de:

>> Irrelevant. I'm positive that any current web browser will have a
>> security related patch before the year is out.
>
> I'm still looking forward for a vulnerability in my secure configuration
> of Firefox (which has JavaScript enabled BTW). As far as Bugzilla and
> certain security vendor tell there has been no security issues that
> applied to my configuration since Firebird 0.9 (!), so I've worked
> around it / hardened before discovery of the problem. The only issue in
> Firebird 0.8 was a memory leak in JavaScript's RegExp object
> implementation, so no big problem either. Firebird 0.6 certain was
> exploitable.

So let's say you are running the 'secure' Firefox 1.5.0.2. Why would you need to install 1.5.0.3?

Because 1.5.0.2 has a critical security flaw and is in fact not 'secure'. Of course the user thinks it's secure
right up until the vulnerability is discovered. So it's not that the browser was 'secure' just that it appears to be
'secure' because no known vulnerabalities existed at the time of release. The software engineers have done
their best to make it 'secure' but somehow something was missed.

You then update to the 'secure' Firefox 1.5.0.3 and you are now sure to be safe.

I am extremely confident there will be a critical security flaw in this or an upcoming version of Firefox so in fact
1.5.0.3 is not 'secure'.

Regardless of the browser you use there are going to be serious, but as yet undiscovered/exploited flaws. So
find a browser YOU like, keep it patched, learn and use it's security features, practice safe surfing and you will
likely be as safe as you can be.

To say browser A is 'safer' than browser B is a comparison that is near impossible to make because of many
mitigating factors including the OS, the browser version/settings, browser plugins/extensions, firewall, AV
software, patches installed and the person at the keyboard.

Once people realize security is a process and not software or hardware they will then understand the
regardless of the configuration they run they are not completely 'secure'. The best they can do is find a
comprimise between security and usability that is acceptable to them.

This is why we have choices in OS's, browsers, AV software etc. as they offer varying levels of security and
functionality so that we as users can pick the ones that best meet our needs. I've tried most browsers and
settled on Avant (IE shell...had tabbed browsing before Firefox even existed). You obviously have gone
another route. To say you have made a better choice or have a more 'secure' browser is a fallacy. Since
neither of us have had 'security' incidents they APPEAR to be equally 'secure' and what's 'best' for me may be
useless to you and vice versa.

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:

> So let's say you are running the 'secure' Firefox 1.5.0.2. Why would
> you need to install 1.5.0.3?

Stability issues and being less dependent on any second line of defense?

> Because 1.5.0.2 has a critical security flaw and is in fact not
> 'secure'.

The flaw didn't apply due to a workaround already being implemented in
before.

> Regardless of the browser you use there are going to be serious, but
> as yet undiscovered/exploited flaws. So find a browser YOU like, keep
> it patched, learn and use it's security features, practice safe
> surfing and you will likely be as safe as you can be.

But IE has discovered unpatched flaws, so you can safely assume that it
will be exploited no matter how you try.

> This is why we have choices in OS's, browsers, AV software etc. as
> they offer varying levels of security and functionality so that we as
> users can pick the ones that best meet our needs. I've tried most
> browsers and settled on Avant (IE shell...had tabbed browsing before
> Firefox even existed). You obviously have gone another route.

No, I've been willing to draw rational conclusions: IE is no alternative
in first place and keeps on being excluded until Microsoft fixes at
least the known security problems.

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:
> Regardless of the browser you use there are going to be serious, but as yet
> undiscovered/exploited flaws.

Please try to understand the difference between a design flaw and an
exploit.

Yours,
VB.
--
At first there was the word. And the word was Content-type: text/plain

Re: Spyware and Adware affect every internet user

Sebastian Gottschalk wrote in news:4bsbokF12266kU1@news.dfncis.de:

> Fuzzy Logic wrote:
>
>> So let's say you are running the 'secure' Firefox 1.5.0.2. Why would
>> you need to install 1.5.0.3?
>
> Stability issues and being less dependent on any second line of defense?
>
>> Because 1.5.0.2 has a critical security flaw and is in fact not
>> 'secure'.
>
> The flaw didn't apply due to a workaround already being implemented in
> before.
>
>> Regardless of the browser you use there are going to be serious, but
>> as yet undiscovered/exploited flaws. So find a browser YOU like, keep
>> it patched, learn and use it's security features, practice safe
>> surfing and you will likely be as safe as you can be.
>
> But IE has discovered unpatched flaws, so you can safely assume that it
> will be exploited no matter how you try.

I don't like to assume anything.

Many of these 'flaws' have been around for quite some time and amazingly no one has taken advantage of
them (mostly becuase they are too obscure to do so). Of course if you visit malicious, pornographic or
malware sites you may wish to use another browser besides IE (though I would be nervous regardless of the
browser I was using).

>> This is why we have choices in OS's, browsers, AV software etc. as
>> they offer varying levels of security and functionality so that we as
>> users can pick the ones that best meet our needs. I've tried most
>> browsers and settled on Avant (IE shell...had tabbed browsing before
>> Firefox even existed). You obviously have gone another route.
>
> No, I've been willing to draw rational conclusions: IE is no alternative
> in first place and keeps on being excluded until Microsoft fixes at
> least the known security problems.

IE is not an alternative for YOU. Others, including myself, believe that the risks of the known security issues
have been overblown. This is primarly because of Firefox who touted their browser as more secure than IE.
Now that Firefox has been around for a while and numerous critical flaws have been found and fixed their
website lists security quite a ways down on the list (used to be #1) of reasons why you should use it.

I support an organization of over 600 IE users and in the many years I have been here we have never had a
security incident related to the web browser.

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:

> Many of these 'flaws' have been around for quite some time and
> amazingly no one has taken advantage of them (mostly becuase they are
> too obscure to do so).

You're wrong, these flaws are getting exploited all day long. This has
actually gone so far that Microsoft declared some of them to be features.

> Of course if you visit malicious, pornographic or malware sites you
> may wish to use another browser besides IE

Every website including third-party content is malicious. Google is, the
Microsoft website is, Slashdot is, I guess even ubuntu-forums.com is.

> (though I would be nervous regardless of the browser I was using).

Why? No webbrowser needs to be exploitable in first place. Well, but IE.

>> No, I've been willing to draw rational conclusions: IE is no
>> alternative in first place and keeps on being excluded until
>> Microsoft fixes at least the known security problems.
>
> IE is not an alternative for YOU. Others, including myself, believe
> that the risks of the known security issues have been overblown.

Fine, but I rather prefer facts over believe.

> This is primarly because of Firefox who touted their browser as more
> secure than IE.

No, this is primarily because you believe such marketing bullshit.
Beside that this claim turned out to be true.

> I support an organization of over 600 IE users and in the many years
> I have been here we have never had a security incident related to the
> web browser.

None you detected. BTW, which of your employees told you that he has
been spoofed?
And, another good keyword for you: reliability

Re: Spyware and Adware affect every internet user

Sebastian Gottschalk wrote in news:4bsma8F12kspqU1@news.dfncis.de:

> Fuzzy Logic wrote:
>
>> Many of these 'flaws' have been around for quite some time and
>> amazingly no one has taken advantage of them (mostly becuase they are
>> too obscure to do so).
>
> You're wrong, these flaws are getting exploited all day long. This has
> actually gone so far that Microsoft declared some of them to be features.

References?

>> Of course if you visit malicious, pornographic or malware sites you
>> may wish to use another browser besides IE
>
> Every website including third-party content is malicious. Google is, the
> Microsoft website is, Slashdot is, I guess even ubuntu-forums.com is.

You obviously have a different defintion of malicious than I do.

>> (though I would be nervous regardless of the browser I was using).
>
> Why? No webbrowser needs to be exploitable in first place. Well, but IE.

Of course they don't need to be exploitable, they just are. That's because none of them are or ever will be
perfect.

>>> No, I've been willing to draw rational conclusions: IE is no
>>> alternative in first place and keeps on being excluded until
>>> Microsoft fixes at least the known security problems.
>>
>> IE is not an alternative for YOU. Others, including myself, believe
>> that the risks of the known security issues have been overblown.
>
> Fine, but I rather prefer facts over believe.
>
>> This is primarly because of Firefox who touted their browser as more
>> secure than IE.
>
> No, this is primarily because you believe such marketing bullshit.
> Beside that this claim turned out to be true.

Both sides are using marketing BS. I don't believe either or them.

>> I support an organization of over 600 IE users and in the many years
>> I have been here we have never had a security incident related to the
>> web browser.
>
> None you detected. BTW, which of your employees told you that he has
> been spoofed?

Our AV software prevents spoofing.

> And, another good keyword for you: reliability

Your point?

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:
> Sebastian Gottschalk wrote in
> news:4bsma8F12kspqU1@news.dfncis.de:
>
>> Fuzzy Logic wrote:
>>
>>> Many of these 'flaws' have been around for quite some time and
>>> amazingly no one has taken advantage of them (mostly becuase they
>>> are too obscure to do so).
>> You're wrong, these flaws are getting exploited all day long. This
>> has actually gone so far that Microsoft declared some of them to be
>> features.
>
> References?



>>> Of course if you visit malicious, pornographic or malware sites
>>> you may wish to use another browser besides IE
>> Every website including third-party content is malicious. Google
>> is, the Microsoft website is, Slashdot is, I guess even
>> ubuntu-forums.com is.
>
> You obviously have a different defintion of malicious than I do.

No. Any malicious guy can buy some adspace from an advertiser and put
his content in there. We've seen this with the IFrame vuln., the WMF
vuln. and certain ActiveX vulnerabilities widespread.

Hello and welcome to the internet!

>>> (though I would be nervous regardless of the browser I was
>>> using).
>> Why? No webbrowser needs to be exploitable in first place. Well,
>> but IE.
>
> Of course they don't need to be exploitable, they just are. That's
> because none of them are or ever will be perfect.

But you know the difference between being potentially exploitable with
currently no problem known and always being exploitable by design, for
sure known?

>> And, another good keyword for you: reliability
>
> Your point?

IE is unreliable because of known unfixed and unfixable problems, you
must reasonably assume that it will get exploited whenever possible.

For any real webbrowser you can assume that it can't be exploitable
until some vulnerability becomes public, and even then you can already
have the workaround in place, having set up some configuration to limit
the impact or not being vulnerable due to hardening.

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:
> Of course if you visit malicious, pornographic or
> malware sites you may wish to use another browser besides IE

Why are you thinking so if you think, that IE is secure?

Yours,
VB.
--
At first there was the word. And the word was Content-type: text/plain

Re: Spyware and Adware affect every internet user

Sebastian Gottschalk wrote in news:4bnijkF11lv06U1@news.dfncis.de:

> Fuzzy Logic wrote:
>
>>> are you Nuts? There are often times when an exploit goes public and
>>> the patch has not been released.
>>
>> Not very often and you need to visit a specially crafted web site. In
>> reality the risk is VERY low.
>
> Ehm... have you been sleeping when someone hijacked the server of
> advertiser FalkAG to spread IE trojans over many usually harmless and
> trusted big websites like NYTimes, Slashdot and even Yahoo? Still
> dizzing when some company bought some adspace from Google Ads for
> spreading WMF images?
> There is no such thing like avoiding dangerous websites.
>
> In Soviet Russia, websites are browsing at you !!!11

Heard about but like many other attacks our configuration protected us. As I said we have not had a computer
security incident in more than 2 years. Still using IE and going strong.

Re: Spyware and Adware affect every internet user

Volker Birk wrote in news:4459a151@news.uni-ulm.de:

> Fuzzy Logic wrote:
>> Of course if you visit malicious, pornographic or
>> malware sites you may wish to use another browser besides IE
>
> Why are you thinking so if you think, that IE is secure?

I never said IE is 'secure'. I have said many times that no browser is 'secure'. If you go to bad places the odds
are higher that bad things will happen. This has nothing to do with the browser you are using. If you download
some warez and it trashes your computer is that your browser's fault? In addition IE's default security settings
are far from ideal. This doesn't mean that it cannot be configured to be much more 'secure'.

Re: Spyware and Adware affect every internet user

Sebastian Gottschalk wrote in
news:4bsq8dF12npofU1@news.dfncis.de:

> Fuzzy Logic wrote:
>> Sebastian Gottschalk wrote in
>> news:4bsma8F12kspqU1@news.dfncis.de:
>>
>>> Fuzzy Logic wrote:
>>>
>>>> Many of these 'flaws' have been around for quite some time and
>>>> amazingly no one has taken advantage of them (mostly becuase they
>>>> are too obscure to do so).
>>> You're wrong, these flaws are getting exploited all day long. This
>>> has actually gone so far that Microsoft declared some of them to be
>>> features.
>>
>> References?
>
> >-bc12-def57c3354fa1033.mspx>

I was referring to the flaws that are getting 'exploited all day long'.

>>>> Of course if you visit malicious, pornographic or malware sites
>>>> you may wish to use another browser besides IE
>>> Every website including third-party content is malicious. Google
>>> is, the Microsoft website is, Slashdot is, I guess even
>>> ubuntu-forums.com is.
>>
>> You obviously have a different defintion of malicious than I do.
>
> No. Any malicious guy can buy some adspace from an advertiser and put
> his content in there. We've seen this with the IFrame vuln., the WMF
> vuln. and certain ActiveX vulnerabilities widespread.
>
> Hello and welcome to the internet!

While this is true our locked down configuration of IE has emerged unscathed.

>>>> (though I would be nervous regardless of the browser I was
>>>> using).
>>> Why? No webbrowser needs to be exploitable in first place. Well,
>>> but IE.
>>
>> Of course they don't need to be exploitable, they just are. That's
>> because none of them are or ever will be perfect.
>
> But you know the difference between being potentially exploitable with
> currently no problem known and always being exploitable by design, for
> sure known?
>
>>> And, another good keyword for you: reliability
>>
>> Your point?
>
> IE is unreliable because of known unfixed and unfixable problems, you
> must reasonably assume that it will get exploited whenever possible.

Again that may well be true buy for some reason we have been running for years without an incident. I
guess we just lucked out with our configuration?

> For any real webbrowser you can assume that it can't be exploitable
> until some vulnerability becomes public, and even then you can already
> have the workaround in place, having set up some configuration to limit
> the impact or not being vulnerable due to hardening.

That's the current situation for us with IE.

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:

>>>> You're wrong, these flaws are getting exploited all day long. This
>>>> has actually gone so far that Microsoft declared some of them to be
>>>> features.
>>> References?
>> >> -bc12-def57c3354fa1033.mspx>
>
> I was referring to the flaws that are getting 'exploited all day long'.

This is one.

> While this is true our locked down configuration of IE has emerged unscathed.

Nah, you just didn't meet the right exploits yet.

>> For any real webbrowser you can assume that it can't be exploitable
>> until some vulnerability becomes public, and even then you can already
>> have the workaround in place, having set up some configuration to limit
>> the impact or not being vulnerable due to hardening.
>
> That's the current situation for us with IE.

Wrong, as for some (even critical) vulnerabilities there are no such
things like safe configuration or workaround.

BTW, you think misusing IE as a webbrowser is a credible state?

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:
> If you download some warez and it trashes your computer is
> that your browser's fault? In addition IE's default security settings
> are far from ideal. This doesn't mean that it cannot be configured
> to be much more 'secure'.

Get a point! It cannot even be configured to work around well-known
unfixed vulnerabilities, yet would any such configuration be usable.

Re: Spyware and Adware affect every internet user

Sebastian Gottschalk wrote in news:4bvavkF137n2jU2@news.dfncis.de:

> Fuzzy Logic wrote:
>> If you download some warez and it trashes your computer is
>> that your browser's fault? In addition IE's default security settings
>> are far from ideal. This doesn't mean that it cannot be configured
>> to be much more 'secure'.
>
> Get a point! It cannot even be configured to work around well-known
> unfixed vulnerabilities, yet would any such configuration be usable.

As I said we have over 600 IE users working with it day in and day out and have no complaints or security
issues. You just need to spend some time getting the right configuration.

Re: Spyware and Adware affect every internet user

Sebastian Gottschalk wrote in
news:4bvat0F137n2jU1@news.dfncis.de:

> Fuzzy Logic wrote:
>
>>>>> You're wrong, these flaws are getting exploited all day long. This
>>>>> has actually gone so far that Microsoft declared some of them to be
>>>>> features.
>>>> References?
>>> >>> d5c -bc12-def57c3354fa1033.mspx>
>>
>> I was referring to the flaws that are getting 'exploited all day long'.
>
> This is one.

Which is?

>> While this is true our locked down configuration of IE has emerged
>> unscathed.
>
> Nah, you just didn't meet the right exploits yet.

But since you say they are so pervasive and we have hundreds of users using IE on a daily basis for years
you think we might encounter one?

Paranoia is a strong motivator (remember weapons of mass destruction). In reality most of these 'threats' are
overblown and can easily be thwarted with common sense and proper configuration.

>>> For any real webbrowser you can assume that it can't be exploitable
>>> until some vulnerability becomes public, and even then you can already
>>> have the workaround in place, having set up some configuration to
>>> limit the impact or not being vulnerable due to hardening.
>>
>> That's the current situation for us with IE.
>
> Wrong, as for some (even critical) vulnerabilities there are no such
> things like safe configuration or workaround.

So you say. It's certainly not been my experience.

> BTW, you think misusing IE as a webbrowser is a credible state?

Huh? If IE isn't a web browser I'm not sure what it is? It may not be a web browser that YOU approve of but it's
still a web browser none the less.

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:

>>>>>> You're wrong, these flaws are getting exploited all day long. This
>>>>>> has actually gone so far that Microsoft declared some of them to be
>>>>>> features.
>>>>> References?
>>>> >>>> d5c -bc12-def57c3354fa1033.mspx>
>>> I was referring to the flaws that are getting 'exploited all day long'.
>> This is one.
>
> Which is?

Running executable through mismatching MIME times.
Microsoft never fixed the defective handling, but instead added some
common type-combination to a blacklist. On Windows Server 2003 this was
even turned into a Group Policy, yet it still isn't an empty whitelist
and certain combinations can lead to execute f.e. HTA files (which has
actually been reported and fixed some weeks ago).

>> Wrong, as for some (even critical) vulnerabilities there are no such
>> things like safe configuration or workaround.
>
> So you say. It's certainly not been my experience.

I gave you a list with some exploits. Show me a configuration that
prevents all of them.

>> BTW, you think misusing IE as a webbrowser is a credible state?
>
> Huh? If IE isn't a web browser I'm not sure what it is?

It is a Rich Platform Client for COM/ActiveX Applications.

> It may not be a web browser that YOU approve of but it's
> still a web browser none the less.

I've pointed you to documentation about design problems that clearly
show that IE was never intended to be used in a hostile environment.

And well, it renders HTML pretty poorly, doesn't even do the SGML
parsing correctly (which disqualifies it as a webbrowser totally) and
even Telnet performs better on HTTP Digest Authentication (which is
totally laughable for something claiming to be a webbrowser).

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:
> Sebastian Gottschalk wrote in news:4bvavkF137n2jU2@news.dfncis.de:
>
>> Fuzzy Logic wrote:
>>> If you download some warez and it trashes your computer is
>>> that your browser's fault? In addition IE's default security settings
>>> are far from ideal. This doesn't mean that it cannot be configured
>>> to be much more 'secure'.
>> Get a point! It cannot even be configured to work around well-known
>> unfixed vulnerabilities, yet would any such configuration be usable.
>
> As I said we have over 600 IE users working with it day in and day out and have no complaints or security
> issues. You just need to spend some time getting the right configuration.

*cough*

http://web.inf.tu-dresden.de/~s9053014/iesec.xhtml#Crash1

Show me a configuration to circumvent that.


Well, I would know one: Filter out every JavaScript and CSS at the proxy
level, performing poorly and rendering most websites unusable.

Re: Spyware and Adware affect every internet user

Sebastian Gottschalk wrote in
news:4c1t1dF12tmucU2@news.dfncis.de:

> Fuzzy Logic wrote:
>> Sebastian Gottschalk wrote in
>> news:4bvavkF137n2jU2@news.dfncis.de:
>>
>>> Fuzzy Logic wrote:
>>>> If you download some warez and it trashes your computer is
>>>> that your browser's fault? In addition IE's default security settings
>>>> are far from ideal. This doesn't mean that it cannot be configured
>>>> to be much more 'secure'.
>>> Get a point! It cannot even be configured to work around well-known
>>> unfixed vulnerabilities, yet would any such configuration be usable.
>>
>> As I said we have over 600 IE users working with it day in and day out
>> and have no complaints or security issues. You just need to spend some
>> time getting the right configuration.
>
> *cough*
>
> http://web.inf.tu-dresden.de/~s9053014/iesec.xhtml#Crash1
>
> Show me a configuration to circumvent that.

As I've stated many times my configuration will not load that page so I have cicumvented it.

> Well, I would know one: Filter out every JavaScript and CSS at the proxy
> level, performing poorly and rendering most websites unusable.

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:

>> http://web.inf.tu-dresden.de/~s9053014/iesec.xhtml#Crash1
>>
>> Show me a configuration to circumvent that.
>
> As I've stated many times my configuration will not load that page so I have cicumvented it.

As I've stated this point is ultimately stupid. This is no
circumvention, this is a bug you should be sorry for. This is supposed
to be READ instead or TRIED.

BTW, do you thing this would stop a bad guy copying it to his own
website anyway?

Re: Spyware and Adware affect every internet user

Sebastian Gottschalk wrote in news:4c1sttF12tmucU1@news.dfncis.de:

> Fuzzy Logic wrote:
>
>>>>>>> You're wrong, these flaws are getting exploited all day long. This
>>>>>>> has actually gone so far that Microsoft declared some of them to be
>>>>>>> features.
>>>>>> References?
>>>>> >>>>> d5c -bc12-def57c3354fa1033.mspx>
>>>> I was referring to the flaws that are getting 'exploited all day long'.
>>> This is one.
>>
>> Which is?
>
> Running executable through mismatching MIME times.
> Microsoft never fixed the defective handling, but instead added some
> common type-combination to a blacklist. On Windows Server 2003 this was
> even turned into a Group Policy, yet it still isn't an empty whitelist
> and certain combinations can lead to execute f.e. HTA files (which has
> actually been reported and fixed some weeks ago).
>
>>> Wrong, as for some (even critical) vulnerabilities there are no such
>>> things like safe configuration or workaround.
>>
>> So you say. It's certainly not been my experience.
>
> I gave you a list with some exploits. Show me a configuration that
> prevents all of them.

As I stated my current configuration prevented all of them.

>>> BTW, you think misusing IE as a webbrowser is a credible state?
>>
>> Huh? If IE isn't a web browser I'm not sure what it is?
>
> It is a Rich Platform Client for COM/ActiveX Applications.

ha ha

>> It may not be a web browser that YOU approve of but it's
>> still a web browser none the less.
>
> I've pointed you to documentation about design problems that clearly
> show that IE was never intended to be used in a hostile environment.

Again your definition of a hostile environment and mine are very different.

> And well, it renders HTML pretty poorly, doesn't even do the SGML
> parsing correctly (which disqualifies it as a webbrowser totally) and
> even Telnet performs better on HTTP Digest Authentication (which is
> totally laughable for something claiming to be a webbrowser).

Yet amazingly it holds up and does what it's supposed to do which is browse the web. I will admit it's
default configuration is far from ideal.

Having said that if properly configured and an intelligent person at the keyboard it works quite well and can
be very secure.

As for how secure then we get into arguments along the lines of wether a boat with two holes in it is better
than a boat with one and wether or not they were designed from the ground up to hit logs makes them
safer boats.

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:

>>> So you say. It's certainly not been my experience.
>> I gave you a list with some exploits. Show me a configuration that
>> prevents all of them.
>
> As I stated my current configuration prevented all of them.

So, does it? If that's actually the case, I want to know some details.
What did you do to circumvent the CSS parser boundary errors? What about
the link spoofing?

>>> It may not be a web browser that YOU approve of but it's still a
>>> web browser none the less.
>> I've pointed you to documentation about design problems that
>> clearly show that IE was never intended to be used in a hostile
>> environment.
>
> Again your definition of a hostile environment and mine are very
> different.

hostile = out of your control, malicious. For example the WWW

>> And well, it renders HTML pretty poorly, doesn't even do the SGML
>> parsing correctly (which disqualifies it as a webbrowser totally)
>> and even Telnet performs better on HTTP Digest Authentication
>> (which is totally laughable for something claiming to be a
>> webbrowser).
>
> Yet amazingly it holds up and does what it's supposed to do which is
> browse the web.

It's not supposed to do that.

> Having said that if properly configured and an intelligent person at
> the keyboard it works quite well and can be very secure.

means: keeps being insecure no matter how much you try.

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:
> > http://web.inf.tu-dresden.de/~s9053014/iesec.xhtml#Crash1
> > Show me a configuration to circumvent that.
> As I've stated many times my configuration will not load that page so I have cicumvented it.

"Fuzzy",

this is not a page with an exploit, but a page with a description, how
to create an exploit.

Not to read it and claiming to be secure is exactly the same as what an
ostrich does fearing danger.

Yours,
VB.
--
At first there was the word. And the word was Content-type: text/plain

Re: Spyware and Adware affect every internet user

Volker Birk wrote:
> Fuzzy Logic wrote:
>
>>>http://web.inf.tu-dresden.de/~s9053014/iesec.xhtml#Crash1
>>>Show me a configuration to circumvent that.
>>
>>As I've stated many times my configuration will not load that page so I have cicumvented it.
>
>
> "Fuzzy",
>
> this is not a page with an exploit, but a page with a description, how
> to create an exploit.
>
> Not to read it and claiming to be secure is exactly the same as what an
> ostrich does fearing danger.
>
> Yours,
> VB.
I was able to read that page without difficulty, but then my browser
works. (It is not IE). Perhaps someone should compose a page which
actually *contains* the exploit, rather than a page which merely
contains a description of it. Fuzzy could then look at *that* page, and
tell us what happens?
Alternatively, Fuzzy could use another browser to look at the page with
the *descriptions* (seeing as IE is too broken to do so), and then
comment on them.

Re: Spyware and Adware affect every internet user

none wrote:

> Alternatively, Fuzzy could use another browser to look at the page with
> the *descriptions* (seeing as IE is too broken to do so), and then
> comment on them.

You can even read this page with IE when doing the download or adding
appplication/xhtml+xml to the MIME types list.

Re: Spyware and Adware affect every internet user

none <""mike\"@(none)"> wrote in
news:44606163$0$9260$ed2619ec@ptn-nntp-reader01.plus.net:

> Volker Birk wrote:
>> Fuzzy Logic wrote:
>>
>>>>http://web.inf.tu-dresden.de/~s9053014/iesec.xhtml#Crash 1
>>>>Show me a configuration to circumvent that.
>>>
>>>As I've stated many times my configuration will not load that page so I
>>>have cicumvented it.
>>
>>
>> "Fuzzy",
>>
>> this is not a page with an exploit, but a page with a description, how
>> to create an exploit.
>>
>> Not to read it and claiming to be secure is exactly the same as what an
>> ostrich does fearing danger.
>>
>> Yours,
>> VB.
> I was able to read that page without difficulty, but then my browser
> works. (It is not IE). Perhaps someone should compose a page which
> actually *contains* the exploit, rather than a page which merely
> contains a description of it. Fuzzy could then look at *that* page, and
> tell us what happens?
> Alternatively, Fuzzy could use another browser to look at the page with
> the *descriptions* (seeing as IE is too broken to do so), and then
> comment on them.

The problem is I don't have the xhtml extension registered (and why is it a xhtml file anyways?). Please post a
site that does use the exploit and I will be quite willing to try it with my configuration. I can do this from a virtual
machine for testing.

PS not interested in DoS exploits.

Re: Spyware and Adware affect every internet user

Sebastian Gottschalk wrote in news:4c9uukF1533coU1@news.dfncis.de:

> Fuzzy Logic wrote:
>
>>>> So you say. It's certainly not been my experience.
>>> I gave you a list with some exploits. Show me a configuration that
>>> prevents all of them.
>>
>> As I stated my current configuration prevented all of them.
>
> So, does it? If that's actually the case, I want to know some details.
> What did you do to circumvent the CSS parser boundary errors? What about
> the link spoofing?

I've never encountered CSS parser boundary errors. Maybe you can supply a link?
All link spoofing tests I've tried failed. If you have another link for me to test feel free to post it.

>>>> It may not be a web browser that YOU approve of but it's still a
>>>> web browser none the less.
>>> I've pointed you to documentation about design problems that
>>> clearly show that IE was never intended to be used in a hostile
>>> environment.
>>
>> Again your definition of a hostile environment and mine are very
>> different.
>
> hostile = out of your control, malicious. For example the WWW

my definition is more like:

hostile = characterized by enmity or ill will

since I don't consider the entire WWW out to get me perhaps you suffer from paranoia - Extreme, irrational
distrust of others

>>> And well, it renders HTML pretty poorly, doesn't even do the SGML
>>> parsing correctly (which disqualifies it as a webbrowser totally)
>>> and even Telnet performs better on HTTP Digest Authentication
>>> (which is totally laughable for something claiming to be a
>>> webbrowser).
>>
>> Yet amazingly it holds up and does what it's supposed to do which is
>> browse the web.
>
> It's not supposed to do that.

huh?

>> Having said that if properly configured and an intelligent person at
>> the keyboard it works quite well and can be very secure.
>
> means: keeps being insecure no matter how much you try.

I guess I will just have to cope. I certainly am not going to convince you.

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:
> Sebastian Gottschalk wrote in news:4c9uukF1533coU1@news.dfncis.de:
>
>> Fuzzy Logic wrote:
>>
>>>>> So you say. It's certainly not been my experience.
>>>> I gave you a list with some exploits. Show me a configuration that
>>>> prevents all of them.
>>> As I stated my current configuration prevented all of them.
>> So, does it? If that's actually the case, I want to know some details.
>> What did you do to circumvent the CSS parser boundary errors? What about
>> the link spoofing?
>
> I've never encountered CSS parser boundary errors. Maybe you can supply a link?

I already supplied the link. Would you please take care to read it?

> All link spoofing tests I've tried failed.
> If you have another link for me to test feel free to post it.

I've already given you a link. So far all the spoofing test do work
pretty well with even IE7 Beta2. Well, except for the address bar
spoofing, which no requires a showModalDialog() instead of a simple open().

> hostile = characterized by enmity or ill will
>
> since I don't consider the entire WWW out to get me perhaps you suffer from paranoia - Extreme, irrational
> distrust of others

If you still didn't get it: The malicious guys are buying adspace, so
their exploits are included in a lot of legitimate websites. The entire
WWW is affected, if you like it or not.

>>> Yet amazingly it holds up and does what it's supposed to do which is
>>> browse the web.
>> It's not supposed to do that.
>
> huh?

It's supposed to browse a trusted subset of webservices or the intranet.
Generally browsing the web is out of its design boundaries.

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:

> The problem is I don't have the xhtml extension registered (and why is it a xhtml file anyways?).

LOL? XHTML is the most recent, state-of-the-art HTML specification and
..xhtml is the associated file extension. Hey, even IE is able to handle
this and has is associated correctly, except for the MIME types.

> Please post a site that does use the exploit and I will be quite willing to try it with my configuration.

Eh, can't you write it yourself? Just copy and paste.
Oh, wait, I forgot, your 'webbrowser' doesn't allow you to view a simple
webpage. Geez, what a waste of time to feed you like a baby.



> PS not interested in DoS exploits.

Well, this should give you a NullPointer Exception in shdoclc.dll at
some fixed offset (usually 0x69), normally leading to a crash. One can
specially craft it to execute code.

Re: Spyware and Adware affect every internet user

Sebastian Gottschalk wrote in
news:4ccmglF15dhkrU1@news.dfncis.de:

> Fuzzy Logic wrote:
>> Sebastian Gottschalk wrote in
>> news:4c9uukF1533coU1@news.dfncis.de:
>>
>>> Fuzzy Logic wrote:
>>>
>>>>>> So you say. It's certainly not been my experience.
>>>>> I gave you a list with some exploits. Show me a configuration that
>>>>> prevents all of them.
>>>> As I stated my current configuration prevented all of them.
>>> So, does it? If that's actually the case, I want to know some details.
>>> What did you do to circumvent the CSS parser boundary errors? What
>>> about the link spoofing?
>>
>> I've never encountered CSS parser boundary errors. Maybe you can supply
>> a link?
>
> I already supplied the link. Would you please take care to read it?
>
>> All link spoofing tests I've tried failed.
>> If you have another link for me to test feel free to post it.
>
> I've already given you a link. So far all the spoofing test do work
> pretty well with even IE7 Beta2. Well, except for the address bar
> spoofing, which no requires a showModalDialog() instead of a simple
> open().
>
>> hostile = characterized by enmity or ill will
>>
>> since I don't consider the entire WWW out to get me perhaps you suffer
>> from paranoia - Extreme, irrational distrust of others
>
> If you still didn't get it: The malicious guys are buying adspace, so
> their exploits are included in a lot of legitimate websites. The entire
> WWW is affected, if you like it or not.

I use an adblocker.

As I said regardless of how unsafe you think I am (as well as 600 of my co-workers) we have not had a
single incident in years. We do regular scans and monitoring of desktops for nasties and none have been
found.

>>>> Yet amazingly it holds up and does what it's supposed to do which is
>>>> browse the web.
>>> It's not supposed to do that.
>>
>> huh?
>
> It's supposed to browse a trusted subset of webservices or the intranet.
> Generally browsing the web is out of its design boundaries.

I gather you were in the design meetings for IE?

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:

>> If you still didn't get it: The malicious guys are buying adspace,
>> so their exploits are included in a lot of legitimate websites. The
>> entire WWW is affected, if you like it or not.
>
> I use an adblocker.

So, and this helps against direct site includes?

> As I said regardless of how unsafe you think I am (as well as 600 of
> my co-workers) we have not had a single incident in years. We do
> regular scans and monitoring of desktops for nasties and none have
> been found.

Do I sense the doomsday argument here?

>> It's supposed to browse a trusted subset of webservices or the
>> intranet. Generally browsing the web is out of its design
>> boundaries.
>
> I gather you were in the design meetings for IE?

No. One can conclude design decisions from reverse engineering.

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:
> (and why is it a xhtml file anyways?)

Because XHTML is the actual W3C recommendation for webpages?

http://www.w3.org/MarkUp/#recommendations

Yours,
VB.
--
At first there was the word. And the word was Content-type: text/plain

Re: Spyware and Adware affect every internet user

Sebastian Gottschalk wrote in news:4cf717F15smlvU1@news.dfncis.de:

> Fuzzy Logic wrote:
>
>>> If you still didn't get it: The malicious guys are buying adspace,
>>> so their exploits are included in a lot of legitimate websites. The
>>> entire WWW is affected, if you like it or not.
>>
>> I use an adblocker.
>
> So, and this helps against direct site includes?

Actually it does. It parses HTML looking for advertisement tags and removes the offending code. It doesn't
catch everything but still does a very good job.

>> As I said regardless of how unsafe you think I am (as well as 600 of
>> my co-workers) we have not had a single incident in years. We do
>> regular scans and monitoring of desktops for nasties and none have
>> been found.
>
> Do I sense the doomsday argument here?

I don't know do you?

>>> It's supposed to browse a trusted subset of webservices or the
>>> intranet. Generally browsing the web is out of its design
>>> boundaries.
>>
>> I gather you were in the design meetings for IE?
>
> No. One can conclude design decisions from reverse engineering.

You can conclude all you want but you don't know for sure. Just like you've concluded that my configuration is
insecure without knowing what it is beyond that I use IE. The fact is nothing is 100% secure, it's only perceived
as secure until such time as a new vulnerability is discovered. The best we can do is limit our risk, while
maintaining the functionality that we require. Our configuration has met our needs while preventing attacks and
therefore met our requirements. You obviously have different requirements than us.

Re: Spyware and Adware affect every internet user

Volker Birk wrote in news:44633300@news.uni-ulm.de:

> Fuzzy Logic wrote:
>> (and why is it a xhtml file anyways?)
>
> Because XHTML is the actual W3C recommendation for webpages?
>
> http://www.w3.org/MarkUp/#recommendations
>
> Yours,
> VB.

Nice try but unfortunately it's not. It's the recommendation for the next generation of HTML. It's pretty rare to
encouter XHTML pages at this time.

Quote from the above page:

The mission of the HTML Working Group (members only) is to develop the next generation of HTML as a suite of
XML tag sets with a clean migration path from HTML 4. Some of the expected benefits include: reduced
authoring costs, an improved match to database & workflow applications, a modular solution to the increasingly
disparate capabilities of browsers, and the ability to cleanly integrate HTML with other XML applications.

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:
[Software Design]
> You can conclude all you want but you don't know for sure.

You're obviously talking about things you don't understand. Of course
usually it's easy to see how software design is done by just having a
look onto what's there.

At least it's easy, if you're doing software design as your daily
business.

Yours,
VB.
--
At first there was the word. And the word was Content-type: text/plain

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:
> > Fuzzy Logic wrote:
> >> (and why is it a xhtml file anyways?)
> > Because XHTML is the actual W3C recommendation for webpages?
> > http://www.w3.org/MarkUp/#recommendations
> Nice try but unfortunately it's not.

[ ] you have problems with extracting information out of an English text

[ ] you don't know, what the W3C is

[ ] you don't know, what a recommendation of the W3C is

Please make your choice(s).

FYI:

| W3C Recommendation (REC)
| A W3C Recommendation is a specification or set of guidelines that,
| after extensive consensus-building, has received the endorsement of W3C
| Members and the Director. W3C recommends the wide deployment of its
| Recommendations. Note: W3C Recommendations are similar to the standards
| published by other organizations.

(from http://www.w3.org/2004/02/Process-20040205/tr#RecsW3C)

| XHTML 1.0
| XHTML 1.0 is the W3C's first Recommendation for XHTML

(from http://www.w3.org/MarkUp/#recommendations)

Yours,
VB.
--
At first there was the word. And the word was Content-type: text/plain

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:

>> So, and this helps against direct site includes?
>
> Actually it does. It parses HTML looking for advertisement tags and
> removes the offending code. It doesn't catch everything but still
> does a very good job.

You know, one miss is enough.

>>> As I said regardless of how unsafe you think I am (as well as 600
>>> of my co-workers) we have not had a single incident in years. We
>>> do regular scans and monitoring of desktops for nasties and none
>>> have been found.
>> Do I sense the doomsday argument here?
>
> I don't know do you?

It's like saying "Oh, I never had any problem with driving at 100 mph
without a seatbelt." When you hit a wall, because you've easily lost
control about the steering, you're fucked.

> You can conclude all you want but you don't know for sure.

That's why I prefer looking at the source code or at least a
disassembly. BTDT.

> Just like you've concluded that my configuration is insecure without
> knowing what it is beyond that I use IE. The fact is nothing is 100%
> secure, it's only perceived as secure until such time as a new
> vulnerability is discovered.

IE is 100% insecure, independent of configuration, without a new
vulnerability discovered.

> The best we can do is limit our risk, while
> maintaining the functionality that we require. Our configuration has
> met our needs while preventing attacks and therefore met our
> requirements. You obviously have different requirements than us.

According to my knowledge of IE vulnerabilities, either your
functionality or security requirements must be very low.

Re: Spyware and Adware affect every internet user

Sebastian Gottschalk wrote in news:4cjgrhF16j3naU1@news.dfncis.de:

> Fuzzy Logic wrote:
>
>>> So, and this helps against direct site includes?
>>
>> Actually it does. It parses HTML looking for advertisement tags and
>> removes the offending code. It doesn't catch everything but still
>> does a very good job.
>
> You know, one miss is enough.

So you're saying the software you currently use is perfect?

>>>> As I said regardless of how unsafe you think I am (as well as 600
>>>> of my co-workers) we have not had a single incident in years. We
>>>> do regular scans and monitoring of desktops for nasties and none
>>>> have been found.
>>> Do I sense the doomsday argument here?
>>
>> I don't know do you?
>
> It's like saying "Oh, I never had any problem with driving at 100 mph
> without a seatbelt." When you hit a wall, because you've easily lost
> control about the steering, you're fucked.

Acutaully I would say it's like driving the marked speed limit with all the safety equipment in use. Of course a
plane engine might still fall on my head.

>> You can conclude all you want but you don't know for sure.
>
> That's why I prefer looking at the source code or at least a
> disassembly. BTDT.
>
>> Just like you've concluded that my configuration is insecure without
>> knowing what it is beyond that I use IE. The fact is nothing is 100%
>> secure, it's only perceived as secure until such time as a new
>> vulnerability is discovered.
>
> IE is 100% insecure, independent of configuration, without a new
> vulnerability discovered.

So YOU say...apparently I live in a different world than you.

>> The best we can do is limit our risk, while
>> maintaining the functionality that we require. Our configuration has
>> met our needs while preventing attacks and therefore met our
>> requirements. You obviously have different requirements than us.
>
> According to my knowledge of IE vulnerabilities, either your
> functionality or security requirements must be very low.

Or we have managed to properly configure IE and prevent attacks contrary to what you have said.

Again I am willing to visit any 'malicious' site you care to throw at me and test my configuration and report
back. I do not consider sites that require user intervention a valid 'malicious' site as social engineering can
defeat most security.

Re: Spyware and Adware affect every internet user

Volker Birk wrote in news:44645731@news.uni-ulm.de:

> Fuzzy Logic wrote:
>> > Fuzzy Logic wrote:
>> >> (and why is it a xhtml file anyways?)
>> > Because XHTML is the actual W3C recommendation for webpages?
>> > http://www.w3.org/MarkUp/#recommendations
>> Nice try but unfortunately it's not.
>
> [ ] you have problems with extracting information out of an English text
>
> [ ] you don't know, what the W3C is
>
> [ ] you don't know, what a recommendation of the W3C is
>
> Please make your choice(s).

[x] None of the above.

> FYI:
>
>| W3C Recommendation (REC)
>| A W3C Recommendation is a specification or set of guidelines that,
>| after extensive consensus-building, has received the endorsement of W3C
>| Members and the Director. W3C recommends the wide deployment of its
>| Recommendations. Note: W3C Recommendations are similar to the standards
>| published by other organizations.
>
> (from http://www.w3.org/2004/02/Process-20040205/tr#RecsW3C)
>
>| XHTML 1.0
>| XHTML 1.0 is the W3C's first Recommendation for XHTML
>
> (from http://www.w3.org/MarkUp/#recommendations)
>
> Yours,
> VB.

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:

>> You know, one miss is enough.
>
> So you're saying the software you currently use is perfect?

No, just that is hasn't got obvious flaws.

> Acutaully I would say it's like driving the marked speed limit with
> all the safety equipment in use.

You have a strange interpretation of 50+ unpatched security vulnerabilities.

>> IE is 100% insecure, independent of configuration, without a new
>> vulnerability discovered.
>
> So YOU say...apparently I live in a different world than you.

Oh, can't you stand provable facts?

>> According to my knowledge of IE vulnerabilities, either your
>> functionality or security requirements must be very low.
>
> Or we have managed to properly configure IE and prevent attacks
> contrary to what you have said.

One can proof the contrary can't hold.

> Again I am willing to visit any 'malicious' site you care to throw at
> me and test my configuration and report back. I do not consider sites
> that require user intervention a valid 'malicious' site as social
> engineering can defeat most security.

I already pointed you to exploit code, but it seems like you're too
stupid^W^Wnot willing^W^Wtoo stupid to create your own test cases based
on copy & paste.

Re: Spyware and Adware affect every internet user

Sebastian Gottschalk wrote in
news:4ck6sqF16lls1U1@news.dfncis.de:

> Fuzzy Logic wrote:
>
>>> You know, one miss is enough.
>>
>> So you're saying the software you currently use is perfect?
>
> No, just that is hasn't got obvious flaws.
>
>> Acutaully I would say it's like driving the marked speed limit with
>> all the safety equipment in use.
>
> You have a strange interpretation of 50+ unpatched security
> vulnerabilities.

But it's fully patched and the supposed 'vulnerabilities' require a very precise set of circumstances and often
obscure user behavior to exploit them. I also question the 50+ number. I will have to review the Secunia page
and see what the tally is at.

>>> IE is 100% insecure, independent of configuration, without a new
>>> vulnerability discovered.
>>
>> So YOU say...apparently I live in a different world than you.
>
> Oh, can't you stand provable facts?

Facts don't need to be proved. Now your theory of 100% insecure certainly does.

>>> According to my knowledge of IE vulnerabilities, either your
>>> functionality or security requirements must be very low.
>>
>> Or we have managed to properly configure IE and prevent attacks
>> contrary to what you have said.
>
> One can proof the contrary can't hold.

Huh?

>> Again I am willing to visit any 'malicious' site you care to throw at
>> me and test my configuration and report back. I do not consider sites
>> that require user intervention a valid 'malicious' site as social
>> engineering can defeat most security.
>
> I already pointed you to exploit code, but it seems like you're too
> stupid^W^Wnot willing^W^Wtoo stupid to create your own test cases based
> on copy & paste.

You claim the entire WWW is one big hostile cesspool but cannot supply a single page that contains an exploit
that I should be concerned about? I don't care about 'proofs of concept' as these again are usually so obscure
as to be of no concern to the general Internet population. Why should I need to create a page when according
to you they are everywhere just waiting for me to be the next victim.

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:

> But it's fully patched

in terms of patch availability.

> and the supposed 'vulnerabilities' require a very precise set of
> circumstances

that are fully in the choice of the attacker.

> and often obscure user behavior

If you read a bit, you'd know that this is not the case.

> I also question the 50+ number.

I don't, at least for a fully patched IE6SP1 on Win2K. IE6SP2 and IE7
are only slightly better.

> I will have to review the Secunia page and see what the tally is at.

What about asking multiple sources? I already pointed you to a collection.

> Facts don't need to be proved. Now your theory of 100% insecure
> certainly does.

I've already presented you some vulnerabilities where no workaround
exists. Oh, you might try to employ filtering, making it even more
unusable, but these filters will either be incomplete or vulnerable to DoS.

>>>> According to my knowledge of IE vulnerabilities, either your
>>>> functionality or security requirements must be very low.
>>> Or we have managed to properly configure IE and prevent attacks
>>> contrary to what you have said.
>> One can proof the contrary can't hold.
>
> Huh?

See above. Enumerating all configuration options still omits no
workaround for some vulnerabilities.

> You claim the entire WWW is one big hostile cesspool but cannot
> supply a single page that contains an exploit that I should be
> concerned about?

Depends on your concerns.

> I don't care about 'proofs of concept' as these
> again are usually so obscure as to be of no concern to the general
> Internet population.

Remote code execution surely is not obscure.

> Why should I need to create a page when
> according to you they are everywhere just waiting for me to be the
> next victim.

Because you asked for proof?

Re: Spyware and Adware affect every internet user

Sebastian Gottschalk wrote in news:4csggkF17ca9mU1@news.dfncis.de:

> Fuzzy Logic wrote:
>
>> But it's fully patched
>
> in terms of patch availability.
>
>> and the supposed 'vulnerabilities' require a very precise set of
>> circumstances
>
> that are fully in the choice of the attacker.
>
>> and often obscure user behavior
>
> If you read a bit, you'd know that this is not the case.

I have and it's generally the case.

>> I also question the 50+ number.
>
> I don't, at least for a fully patched IE6SP1 on Win2K. IE6SP2 and IE7
> are only slightly better.

Win2k? This is 2006. Consider either Server 2003 or XP Pro.

>> I will have to review the Secunia page and see what the tally is at.
>
> What about asking multiple sources? I already pointed you to a collection.
>
>> Facts don't need to be proved. Now your theory of 100% insecure
>> certainly does.
>
> I've already presented you some vulnerabilities where no workaround
> exists. Oh, you might try to employ filtering, making it even more
> unusable, but these filters will either be incomplete or vulnerable to DoS.

DoS is a non-issue as far as I'm concerned. There may be no workaround in IE but there are numerous 3rd
party (and often free) products that can and do help.

>>>>> According to my knowledge of IE vulnerabilities, either your
>>>>> functionality or security requirements must be very low.
>>>> Or we have managed to properly configure IE and prevent attacks
>>>> contrary to what you have said.
>>> One can proof the contrary can't hold.
>>
>> Huh?
>
> See above. Enumerating all configuration options still omits no
> workaround for some vulnerabilities.
>
>> You claim the entire WWW is one big hostile cesspool but cannot
>> supply a single page that contains an exploit that I should be
>> concerned about?
>
> Depends on your concerns.
>
>> I don't care about 'proofs of concept' as these
>> again are usually so obscure as to be of no concern to the general
>> Internet population.
>
> Remote code execution surely is not obscure.
>
>> Why should I need to create a page when
>> according to you they are everywhere just waiting for me to be the
>> next victim.
>
> Because you asked for proof?

Simply supply a link to one of the endless pages out there that is trying to run remote code on my machine
and successfully bypasses my security. Just one link...is that too much to ask when you claim all web sites
are malicious?

As far as I'm concerned you are simply a victim of the paranoia propogated by software developers and
security firms wishing us to switch to their 'more secure' products because around every corner is
someone out to get us. I won't deny there is some nasty stuff out there but it's way overblown and easy to
avoid. I would also argue that the people who are victims of said vulnerabilities are computer nieve, use the
default settings and more than likely could have avoided the issue by just keeping their machine patched and
saying no to the little dialog box that said "would you like us to help protect your computer" when visiting
some questionable web site.

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:

> I have and it's generally the case.

Details please.

>>> I also question the 50+ number.
>> I don't, at least for a fully patched IE6SP1 on Win2K. IE6SP2 and
>> IE7 are only slightly better.
>
> Win2k? This is 2006. Consider either Server 2003 or XP Pro.

Why? Win2K is still supported.

> DoS is a non-issue as far as I'm concerned.

/* no comment */

> There may be no
> workaround in IE but there are numerous 3rd party (and often free)
> products that can and do help.

Fine. So you do want to filter out every known exploitability. You're
going to filter out every CSS formatting, every ftp:// link, a lot of
http links, every (i)frame, object and any image? Your website will be
reduced to formatted text and tables with hopefully some links left.

Well, no thanks, using a real webbrowser like Mozilla is a far better
approach, especially as it doesn't depend on someone else protecting you.

> Simply supply a link to one of the endless pages out there that is
> trying to run remote code on my machine and successfully bypasses my
> security.

Argh... do you expect me to run through the web while taking a careful
look on who's trying to exploit me? There have already been enough
examples in the past, most sites are still using one of those IFrame
vulnerabilities in IE.

> Just one link...is that too much to ask when you claim all
> web sites are malicious?

http://click.adbrite.com?

> As far as I'm concerned you are simply a victim of the paranoia
> propogated by software developers and security firms wishing us to
> switch to their 'more secure' products because around every corner is
> someone out to get us.

Eh... no. Maybe you just didn't understand what security means,
especially in terms of reliability. I don't want my webbrowser to
potentially blow up just when clicking a link, whether or not someone
actually exploits that.

> I won't deny there is some nasty stuff out
> there but it's way overblown and easy to avoid.

The "easy to avoid" part has been disproven.

> I would also argue
> that the people who are victims of said vulnerabilities are computer
> nieve, use the default settings and more than likely could have
> avoided the issue by just keeping their machine patched and saying no
> to the little dialog box that said "would you like us to help protect
> your computer" when visiting some questionable web site.

So that's your excuse for 50+ criticial vulnerabilities that have been
unaddressed since years? Sorry, but that's bullshit!

Re: Spyware and Adware affect every internet user

Sebastian Gottschalk wrote in news:4cuuekF173if7U1@news.dfncis.de:

> Fuzzy Logic wrote:
>
>> I have and it's generally the case.
>
> Details please.
>
>>>> I also question the 50+ number.
>>> I don't, at least for a fully patched IE6SP1 on Win2K. IE6SP2 and
>>> IE7 are only slightly better.
>>
>> Win2k? This is 2006. Consider either Server 2003 or XP Pro.
>
> Why? Win2K is still supported.

So is Windows 98 but neither are hardly considered current.

>> DoS is a non-issue as far as I'm concerned.
>
> /* no comment */
>
>> There may be no
>> workaround in IE but there are numerous 3rd party (and often free)
>> products that can and do help.
>
> Fine. So you do want to filter out every known exploitability. You're
> going to filter out every CSS formatting, every ftp:// link, a lot of
> http links, every (i)frame, object and any image? Your website will be
> reduced to formatted text and tables with hopefully some links left.

Well what you think happens and what we are seeing (perfectly fine rendered pages with the occasional
ad not being displayed). Generally it looks identical to a page rendered without the additional protection.

> Well, no thanks, using a real webbrowser like Mozilla is a far better
> approach, especially as it doesn't depend on someone else protecting you.

What's good for you may not be for me...is that so hard to understand? And off course you thorougly vetted
all your browser plugins/helpers (can you say greasemonkey, quicktime, acrobat, shockwave, etc....all of
which have had exploits at some point that allowed remote execution of code).

>> Simply supply a link to one of the endless pages out there that is
>> trying to run remote code on my machine and successfully bypasses my
>> security.
>
> Argh... do you expect me to run through the web while taking a careful
> look on who's trying to exploit me? There have already been enough
> examples in the past, most sites are still using one of those IFrame
> vulnerabilities in IE.
>
>> Just one link...is that too much to ask when you claim all
>> web sites are malicious?
>
> http://click.adbrite.com?

OK what's supposed to happen? Loads fine and amazingly nothing happened!? Took me to
http://www.adbrite.com/

Browser didn't crash, page displays, I can still surf, no spyware, no adware, no trojans, no rootkits, no
homepage hijack?!

>> As far as I'm concerned you are simply a victim of the paranoia
>> propogated by software developers and security firms wishing us to
>> switch to their 'more secure' products because around every corner is
>> someone out to get us.
>
> Eh... no. Maybe you just didn't understand what security means,
> especially in terms of reliability. I don't want my webbrowser to
> potentially blow up just when clicking a link, whether or not someone
> actually exploits that.

Nobody does. And amazingly it rarely happens. Certainly no more frequently than any other application.

>> I won't deny there is some nasty stuff out
>> there but it's way overblown and easy to avoid.
>
> The "easy to avoid" part has been disproven.

Not that I've seen.

>> I would also argue
>> that the people who are victims of said vulnerabilities are computer
>> nieve, use the default settings and more than likely could have
>> avoided the issue by just keeping their machine patched and saying no
>> to the little dialog box that said "would you like us to help protect
>> your computer" when visiting some questionable web site.
>
> So that's your excuse for 50+ criticial vulnerabilities that have been
> unaddressed since years? Sorry, but that's bullshit!

There MAY be 50+ vulnerabilities but certainly no where near that many are considered 'critical' by anyone
except maybe you.

Why am I somehow responsible for the vulnerabilities in IE? I didn't write it. I simply use it and like every
other product we use it has risks associated with it. Drink too much water you die...I guess I should stop
using water too? Obviously you feel that the risks associated with IE are too high for you to consider using
it. I have come to a different conclusion and we are obviously not going to agree.

I have 600 users I support that have been properly trained and amazingly we have not succumbed to a
single one of these ubiquitous vulnerabilities because the reality is that the major threats have been
addressed and any malicious site (by my definition) is taken down so fast that the chance of becoming a
victim are extremely low.

Re: Spyware and Adware affect every internet user

Fuzzy Logic wrote:

>>> Win2k? This is 2006. Consider either Server 2003 or XP Pro.
>> Why? Win2K is still supported.
>
> So is Windows 98 but neither are hardly considered current.

Windows 98 is DOS-based and has no privilege separation, I don't
consider that usable for any network-connected scenario.

So far, Win2K still is a current system and IE6SP1 is its current level
of IE. Denote that it's still getting patched.

> Well what you think happens and what we are seeing (perfectly fine
> rendered pages with the occasional ad not being displayed). Generally
> it looks identical to a page rendered without the additional
> protection.

Ah, I thought you'd be serious about the filtering. So far that means
you didn't employ sufficient workarounds.

>> Well, no thanks, using a real webbrowser like Mozilla is a far
>> better approach, especially as it doesn't depend on someone else
>> protecting you.
>
> What's good for you may not be for me...is that so hard to
> understand? And off course you thorougly vetted all your browser
> plugins/helpers (can you say greasemonkey, quicktime, acrobat,
> shockwave, etc....all of which have had exploits at some point that
> allowed remote execution of code).

GreaseMonkey had a default configuration issue. Never applied to me.
The rest was disabled by default, for good reason.

BTW, there are no vulnerabilities currently known, in strict contrast to IE.

>>> Just one link...is that too much to ask when you claim all web
>>> sites are malicious?
>> http://click.adbrite.com?
>
> OK what's supposed to happen? Loads fine and amazingly nothing
> happened!? Took me to http://www.adbrite.com/

Argh... you just want to annoy me, hein? / is uninteresting, take a look
at the script it serves.

> Browser didn't crash, page displays, I can still surf, no spyware, no
> adware, no trojans, no rootkits, no homepage hijack?!

I'm not aware of Adbrite employing a sufficient recent exploit. But you
should just wait some time...

>> Eh... no. Maybe you just didn't understand what security means,
>> especially in terms of reliability. I don't want my webbrowser to
>> potentially blow up just when clicking a link, whether or not
>> someone actually exploits that.
>
> Nobody does. And amazingly it rarely happens. Certainly no more
> frequently than any other application.

You must be kidding... how many hundred thousands of machines have been
hijacked at the latest IE exploit wave?

>>> I won't deny there is some nasty stuff out there but it's way
>>> overblown and easy to avoid.
>> The "easy to avoid" part has been disproven.
>
> Not that I've seen.

You really don't read news?

> There MAY be 50+ vulnerabilities but certainly no where near that
> many are considered 'critical' by anyone except maybe you.

Not all of them a critical, but a lot. BTW, the consideration is taken
upon impact and a non-interactive execution of remote code certainly is
critical.

> Why am I somehow responsible for the vulnerabilities in IE? I didn't
> write it. I simply use it

You're using it for something it was never designed for.

> and like every other product we use it has risks associated with it.

And the risk for IE is certainly unacceptable, especially because safe
and far better alternatives exist.

> I have 600 users I support that have been properly trained and
> amazingly we have not succumbed to a single one of these ubiquitous
> vulnerabilities because the reality is that the major threats have
> been addressed

You're not even able to differ an ActiveX Rich Platform Client that has
been marketed as a webbrowser from a real webbrowser, but claim to
recognize even a good hidden thread long before it hits you in the face?

> and any malicious site (by my definition) is taken
> down so fast that the chance of becoming a victim are extremely low.

Now that's a fiction, too.