Re: OT: Gone from topic, now on security Re: For PGP Users-Likes and Dislikes of PGP

Re: OT: Gone from topic, now on security Re: For PGP Users-Likes and Dislikes of PGP

am 14.08.2006 10:44:27 von Joseph Ashwood

"Sebastian Gottschalk" wrote in message
news:4kagi5Fbc2o9U1@news.dfncis.de...
> Joseph Ashwood wrote:
>> So to review the updates in the last month (since Microsoft releases
>> monthly this is a reasonable timeframe) there has been 1 update to IE
>> (MS06-042), one update to OE (MS06-043), both released last Tuesday.
>>
> And there're still 60+ vulnerabilities left open. Your point being?

My point being that you still have failed to name a single one. You claimed
that you knew several flaws, yet you have failed to name even one. My point
remains, I simply claimed that the security is approximately the same. You
have claimed that OE has security flaws, yet you have not named a single
actual. I decided to save you a bit of trouble, I actually checked CVE for
you, there are 2 known vulnerabilities listed for OE in 2006, 2 more in
2005, 4 in 2004, 2 in 2003. Thunderbird is very different story, there have
been 53 listed vulnerabilities in 2006. Now I fully recognise that flaws in
Mozilla products are more likely to be reported than flaws in Microsoft
products, but if 4% of MS flaws are reported this is approximately the
equal.

This to me indicates that the level of security flaws are close enough to be
ignored. That leaves the primary reason that OE is exploied more often than
Thunderbird being simply a numbers game.
Joe

Re: OT: Gone from topic, now on security Re: For PGP Users-Likesand Dislikes of PGP

am 14.08.2006 10:59:41 von Sebastian Gottschalk

Joseph Ashwood wrote:

>>> So to review the updates in the last month (since Microsoft
>>> releases monthly this is a reasonable timeframe) there has been 1
>>> update to IE (MS06-042), one update to OE (MS06-043), both
>>> released last Tuesday.
>>>
>> And there're still 60+ vulnerabilities left open. Your point being?
>>
>
> My point being that you still have failed to name a single one.

No. You only asked for vulnerabilities in OE, and I also referred to
triggering MSIE vulnerabilities as well. And of those, I can name you a
lot. And I also named some non-inherited OE flaws as well.

> You claimed that you knew several flaws, yet you have failed to name
> even one.

Actually it's quite funny that you're not able to use Google, search on
Securityfocus or at other common places, which easily turns out some.
Shouldn't be to hard for so many existing.

But just for convience:

  • - a nifty
    little memory corruption vulnerability which allows remote code execution.

    > I decided to save you a bit of trouble, I actually checked CVE for
    > you, there are 2 known vulnerabilities listed for OE in 2006, 2 more
    > in 2005, 4 in 2004, 2 in 2003.

    CVE isn't the entire truth.

    Just again: Due to inherit of all IE flaws, it's currently at 60+.

    > Thunderbird is very different story, there have been 53 listed
    > vulnerabilities in 2006.

    Yeah. Potential information disclosure when JavaScript is enabled (which
    it isn't by default) is way more critical than remote code execution.

    > That leaves the primary reason that OE is
    > exploied more often than Thunderbird being simply a numbers game.

    Just like Apache vs. IIS?

    Re: OT: Gone from topic, now on security Re: For PGP Users-Likesand Dislikes of PGP

    am 14.08.2006 11:10:33 von lassi.hippelainen

    Joseph Ashwood wrote:
    > ... That leaves the primary reason that OE is exploied more often than
    > Thunderbird being simply a numbers game.

    As a clarification: not the number of installations, but the number of
    inexperienced users.

    -- Lassi