Microsoft Patches IE Flaw Used in Google Hacking

Status
Not open for further replies.

SAL-e

Distinguished
Feb 4, 2009
383
0
18,780
Security by obscurity Security.
When we are going to learn the lesson? Probably never!
In this case I am more mad at Kaspersky for keeping quiet for more then 3 months. They just enter into my black list.
 

JD13

Distinguished
Mar 24, 2009
252
0
18,790
Systems administrator asleep at the wheel...
Is it better to find the flaw & report it right away or wait until you have a patch then tell everyone?
 

maximus20895

Distinguished
Nov 28, 2009
54
0
18,640
Yet another reason with Firefox wins and IE is horrible.

Interestingly, Kaspersky Labs Threatpost reports that Microsoft learned of this security hole back in September 2009 and planned for a patch in February 2010

So let me get this straight, They knew about it in September, but purposely put it off until four months later? Why wouldn't the fix the flaw ASAP?
 

dravis12

Distinguished
Mar 16, 2009
67
0
18,630
[citation][nom]SAL-e[/nom]Security by obscurity Security.When we are going to learn the lesson? Probably never!In this case I am more mad at Kaspersky for keeping quiet for more then 3 months. They just enter into my black list.[/citation]

It doesn't say that Kaspersky knew that there was a problem in September, only that Microsoft was aware of it. How is that Kaspersky's fault?
 

SAL-e

Distinguished
Feb 4, 2009
383
0
18,780
[citation][nom]dravis12[/nom]It doesn't say that Kaspersky knew that there was a problem in September, only that Microsoft was aware of it. How is that Kaspersky's fault?[/citation]
Ok. My assumptions were:
1. Kaspersky found the bug.
2. Kaspersky privately reported the problem to MS.
3. MS and Kaspersky, using security by obscurity, took more then 3 months to release the knowledge and fix for the problem.
If you read the MS security bulletins as I do you will notice that more then 80% of the problems are privately reported to MS and only small part of them are discovered by internal audit. That is why I made those assumptions.
But I see your point. From the information provided by the article there is other possibility that Kaspersky learned about the problem from MS and they are out raged that MS took more then 3 months to fix the problem.

Thank you for correcting me.
 

spectrewind

Distinguished
Mar 25, 2009
446
0
18,790
[citation][nom]ethanolson[/nom]Microsoft said everyone should ditch IE6. Listen to them![/citation]

As has been pointed out in many other threads, not every business has the money/man-power to just deploy software updates like this. In a production environment where IE6 is supported for web interfaces, but IE7 (or higher) are not, it makes more sense to continue using IE6 with a few expected infections than to pull everyone forward to the current IE and cause a web-based application to cease to work.

Some will point out that the web application should be upgraded. Again, planning, money, and man-power decide this, and it generally needs to be tested prior to roll-out.

Dealing with on-occurrance virus infections is easier, given this, when you can just re-image a machine from a known-good config.
 

back_by_demand

Splendid
BANNED
Jul 16, 2009
4,821
0
22,780
[citation][nom]edilee[/nom]Why are "top tech firms" still using Internet Explorer 6 LOL. Guess they still using 386 machines too?[/citation]
Because when a company rolls out IE to thousands of machines they need to guarantee compatability. Where I work we rolled out Adobe Reader 9 to replace Adobe Reader 8 on 1500 clients machines near the end of last year. Nearly 3 months later we are still getting machine users calling in with problems as the update left them with non-working readers. Just because a home user can install and un-install at will does not mean the corporate world is able to work that way. That is why IBM only just updated their machine from IE6 to IE7, even though we have had IE8 for ages.
 

troger5troger5

Distinguished
Dec 7, 2009
44
0
18,540
I still dont understand since the corp world for the most part all use explorer. Billions of dollars are spent by companys to make sure that their software is compatable with everyone elses. Microsoft is a hugh plateform to make this all possible. People still want to compair APPLE and now FIREFOX as being hack proof/better what ever.............. Until those apps/os's are the mainstream for corp, then they will always look more solid since you dont have the hacking world breaking down your door. They are not going to waist their time with minority /non news / money worthy software.
 

crikey2

Distinguished
Feb 15, 2009
19
0
18,510
All software has security vulnerabilities - IE, Firefox, Safari, quicktime, Flash, Acrobat, Windows, Linux - the whole lot (including all those internal corporate apps businesses are so fond of building.) Corp IT managers need to ditch the excuse about "testing for compatibility" and "the cost of upgrading" and learn that software is a dynamic business. If you build software you need to maintain it. Period. That means not only fixing your own vulnerabilities and bugs on a timely schedule. If also means ensuring that your app works with newer versions and updates to underlying software components yousoftware depends on. If you can't plan and budget for this you shouldn't be building the software in the first place.
 
G

Guest

Guest
Not updating their software merely keeps them behind the times.
I'm sorry, but corporations are supposed to adapt to new software and technology, not function in the dark ages.

Sigh ... the IT departments in the firms are responsible of making sure everything works.
Are they filled with incompetant people by any chance if an update from Adobe Reader leaves previous versions non functional?

I would have to say so, because they run a much tightly controlled environment to begin with and these malfunctions shouldn't happen.
Heck, they rarely (if ever) occur for home users.
 

ta152h

Distinguished
Apr 1, 2009
1,207
2
19,285
[citation][nom]deks[/nom]Not updating their software merely keeps them behind the times.I'm sorry, but corporations are supposed to adapt to new software and technology, not function in the dark ages.Sigh ... the IT departments in the firms are responsible of making sure everything works.Are they filled with incompetant people by any chance if an update from Adobe Reader leaves previous versions non functional?I would have to say so, because they run a much tightly controlled environment to begin with and these malfunctions shouldn't happen.Heck, they rarely (if ever) occur for home users.[/citation]

It's obvious you've never worked in a big company, as you really don't understand.

I do understand what you're saying, and for the uninitiated, it might even seem true. But, it's really a mistake, as I learned the hard way.

Change is bad, as a rule. It brings the possibility of unknowns that you don't have control over. There's an old saying, if it ain't broke, don't fix it. You have corporations that have established systems that are working for their employees, and when they don't work, there's a lot of experience dealing with that platform. Any software upgrades introduce bugs, and bugs there are less experience with. No amount of testing will reveal them all, or mitigate all the problems with change. So, you don't do it until it's really worth it, and in most cases, you get to skip releases and all the headaches associated with them.

For example, think of all the headaches that were missed skipping bad OS's like XP and Vista. I don't have Windows 7 yet, so I can't say for sure, but XP suck, and Vista sucked balls. A lot of companies stuck with Windows 2000 for a long time because it worked well. Some will have avoided the headaches and bad performance of XP and Vista, and move right to Windows 7. Some skipped IE 7, and if they wait, maybe even IE 8 with all its problems.

So, you really want to try to avoid change for as long as possible, unless it's got some compelling reason that makes it worth it. Microsoft, for reasons unknown to most, feel it's necessary to change the way things look with most of their releases, and this creates confusion for end users, and support costs.

You make change when you have to, not because someone likes to have the newest release of this and that because they think it's cool. That's what you do at home, not at work.

Having said all that, IE 6.0 is soooooo bad, unless internet access is a small part of the job (which it is in most places), I'd upgrade it. If you have apps that use the web, or need access, I'd say the pain involved in change is still worth it because using IE 6 is really bad. Although, IE 8.0 sucks bad too, but at least it's got additional useful features. Maybe companies are waiting for IE 9, who knows. It's really hard moving to something as bad as IE 8, even if it's better than 6.0.
 

Supertrek32

Distinguished
Nov 13, 2008
442
0
18,780
[citation][nom]crikey2[/nom]All software has security vulnerabilities - IE, Firefox, Safari, quicktime, Flash, Acrobat, Windows, Linux - the whole lot (including all those internal corporate apps businesses are so fond of building.) Corp IT managers need to ditch the excuse about "testing for compatibility" and "the cost of upgrading" and learn that software is a dynamic business. If you build software you need to maintain it. Period. That means not only fixing your own vulnerabilities and bugs on a timely schedule. If also means ensuring that your app works with newer versions and updates to underlying software components yousoftware depends on. If you can't plan and budget for this you shouldn't be building the software in the first place.[/citation]
Most IT managers probably agree with you, but the guy who'd have to authorize the payment for it typically doesn't have a clue.

"Is it causing a problem?"

"No, but it will mea-"

"Vetoed."
 

r3t4rd

Distinguished
Aug 13, 2009
274
0
18,780
[citation][nom]edilee[/nom]Why are "top tech firms" still using Internet Explorer 6 LOL. Guess they still using 386 machines too?[/citation]
Like others that have posted here on on other threads, if you don't work in an environment of 3000+ PC's such as the top tech firms, you will never know the issues in regards to upgrading any software - especially with internet explorer.

Example:
You have Company_A - with 3000+ PCs and hundreds of proprietary software and home grown software. IE8 has been out and you have tested it for at least a six months now with issues but you have already patched and fixed these issues. Tomorrow comes, you roll out IE9 to all 3000+ PCs. Next few weeks your Call Center/Help Desk gets a 80% hike in calls in regards to IE9.

First point - All the extra calls equals extra support and money spent for the support from Company_A.
2nd Point - You now have to check all the call logs and determine what issues in regards to your IE8 deployment are high risk issues and resolve them ASAP. Then worry about the lower risk issues. In terms this means more Tech power support and paid time to work on the issues. More $$$ spent.
3rd Point - Now you have isolated the issue, you need to patch the issues from your home grown software and proprietary software, then the street software. Which in term means working with the maker of each software/vendor. More $$$$ also spent.
4th Point - All the broken software with while employees are getting paid to do nothing??? - Even more $$$ spent.

I could go on and on with many other points but you get where I am going with this already - I hope. When you tally all the extra expenditures and allocation of resources caused by a measly upgrade such as my example above, you are looking at Millions of dollars. Top Tech companies and huge Fortune 500 companies such as the one I am working for have more than 3000+ PC's. (3000+ PC is even a low number of PC's to support IMO) You can test any updated software for as long as you see fit but you will never be able to produce/reproduce the issues when you deploy the software to over 3000+ PCs and users.

It all comes down to business common sense and money. Just think about it, if you owned your own company, how'd you feel if your companies IT Mgr came and told you that you have to spend 20 million dollars to resolve or fix all those issue that could have been avioded by not upgrading? Or the fact that you have to explain to the Board of Directors why you spent 20 Million dollars alone in the past 3 months? If it ain't broke (like someone quoted) why fix it?

Sorry for my long rant. It just rubs me the wrong way when people do not understand big companies and why are they still on old outdated software such as IE6, IE7, etc.
 
Status
Not open for further replies.