My question is why is Microsoft silent on all its sites on these two
serious IE holes particularly after one of them is almost two months old?
Maybe someone from Microsoft who works with Mr. Charney or Mr. Nash will
comment on them
Mr. Charney seems unable to direct his former zeal for pursuit of alleged
cybercrime behind when it comes to transparency and showcasing these MS
security holes, communicating them to the public in a timely manner, and
either coming up with fixes in a reasonable time or pre-empting the need for
an onslaught of hotfixes in the operating system and the browser. I don't
see any mention of them on the MS Security, Technet, MSDN, or Presspass
sites.
There is a potentially devestating security hole in Internet Explorer 6 and
possibly earlier versions. IE. This follows the discovery of a vulnerability
in Windows XP earlier this week. You could be fooled into downloading files
that look safe but could be anything, particularly executables. A demo (POC
Proof of Concept Exploit) of both the hole in Windows and the hole in IE is
avialable on Security Company Secunia's sites. The Windows security flaw
allows construction of a malicious folder that has both script code and a
malicious file. If you are tricked into opening that folder, Windows
Explorer will execute the code.
The latest vulnerability in Internet Explorer can display a fake URL in the
address and status bars which is different from the real page location. The
idea is to engineer users into revealing sensitive information or executing
malware as a download.
The third vulnerabilty allows IE to be tricked into opening a file with a
different application than the file extension indicates by embedding a CSLID
in the file name:
http://www.secunia.com/advisories/10708/ Windows XP Exploit Not Yet
Addressed
New Explorer hole could be devastating
http://www.infoworld.com/article/04/01/28/HNiehole_1.html
IE File Download Extension Spoofing Unfixed
http://www.secunia.com/advisories/10736/
IE URL Spoofing Vulnerability Since December, 2003 Unfixed
http://www.secunia.com/advisories/10395/
It would be easy to get people to download the Doom Worm or even worse, to
combine this latest hole with the Explorer spoofing problem discovered in
December but not fixed by Microsoft. Many articles on the web are
speculating that the reason Microsoft has not fixed it is because it can't.
Microsoft has been beefing up security according to a large number of
releases from MS Presspass. They hired Scott Charney, an attorney who was
Chief of Computer Crime at the U.S. Department of Justice and a key member
of the US DOJ's Computer Search and Seizure Work Group in April sending
Howard Schmidt to the President's Critical Infrastructure Protection Board.
Mike Nash is Vice President for the Security Business Unit at Microsoft.
Neither gentleman has had a comment on any of the three exploits, and
Microsoft has posted nothing to date on any of its sites. However, on
November 19, 2003 Mr. Charney testified to Congress that "Security is the #1
Microsoft Priority."
Microsoft Executive Bio of Scott Charney
http://www.microsoft.com/mscorp/innovation/twc/issues/scott_charney_bio.asp
COMMENTARY: LEADER OR LOBBYIST Scott Charney
http://discuss.extremetech.com/n/main.asp?webtag=extremetech&nav=messages&msg=8914.3
Testimony of Scott Charney Before House Sub Chief Trustworthy Computing
Strategist Microsoft Corporation:
http://www.microsoft.com/presspass/exec/charney/11-19testimony.asp
It is difficult to understand why Microsoft has been silent on one of these
IE spoofs for nearly two months. Is it possible that there is no fix?
Further the sheer amount of hotfixes lends to instability and bugs and
sometimes considerable side effects in Windows and the browser.
Chad Harris