Path: g2news1.google.com!news1.google.com!news.glorb.com!
news3.optonline.net!pd7cy1no!shaw.ca!pd7tw2no.POSTED!53ab2750!not-for-mail
X-Trace-PostClient-IP: 24.86.202.85
From: Brian <br...@stanley-park.com>
Subject: Patched in 60 Seconds
Newsgroups: microsoft.public.msn.discussion
Reply-To: br...@stanley-park.com
Lines: 76
User-Agent: KNode/0.7.7
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7Bit
Message-ID: <AzzHc.55859$WB5.44195@pd7tw2no>
Date: Fri, 09 Jul 2004 16:18:40 GMT
NNTP-Posting-Host: 24.71.223.147
X-Complaints-To: ab...@shaw.ca
X-Trace: pd7tw2no 1089389920 24.71.223.147 (Fri, 09 Jul 2004 10:18:40 MDT)
NNTP-Posting-Date: Fri, 09 Jul 2004 10:18:40 MDT
Organization: Shaw Residential Internet
Xref: g2news1.google.com microsoft.public.msn.discussion:1428

Hello Dear Friends:

Here is an interesting article about a recent vuln discovered in the open
source browser/mail-agents developed by Mozilla.

'Well Well Well', you may be thinking - open source with a discovered
exploit!

Here is the sad part, from a Microsoft point of view, the vulnerability is
only exploitable on Microsoft operating systems because of the embedded IE
code built in to Windows.

Oops...

8^)

Here is another sad part, from a Microsoft point of view, it was patched on
the same day that it was revealed.

Let's review: Microsoft takes 7 days to patch the recent IE exploit (and the
patch was ineffective) and the open source community takes less than a day
to patch Mozilla products that operate on Microsoft OSes - really a Windows
exploit!

Here are some of my favorite passages:

<quote>
Specifically the vulnerability is a feature: it allows Windows programs to
be run remotely through clicking on a link like one of these. The links use
the shell: command to run arbitrary Windows programs or, at its most
destructive, a denial of service attack on an individual machine by opening
up programs that don't exist. 

The kicker is that this isn't even a problem with Mozilla; it's a problem
with Windows Explorer. Windows XP Service Pack 1 was supposed to have
closed this hole, but apparently it is still functioning and leaving
Windows systems open to remote attack. So the Mozilla team worked to patch
a hole that had little to do with their project.

Is this really a security hole? When Mozilla receives a shell: request, it
passes it on to an external handler in Windows. The "fix" for this is to
disable this functionality which, as far as I can tell, is totally
unnecessary to begin with. External handlers -- programs outside Mozilla --
have no specific security model, so the only way to deal with them is to
make individual exceptions like this one. Messy? Yes. But that's Windows.

He who patches first, patches best

So we had a fix in less than 24 hours, and the exploit wasn't that bad to
begin with. 

Let's compare this to Microsoft's handling of a recent Internet Explorer
exploit that was taken advantage of by the Scob trojan, which sought to
steal sensitive personal and financial information from its unknowing
victims. The trojan attacked on June 25, and Microsoft had a patch released
a quick and speedy seven days later, on July 2. So for seven days a serious
hole remained in Internet Explorer, and even then the vulnerability
remained!

One day for the community to discover, discuss, and patch a Windows security
flaw through Mozilla, one week for Microsoft to incorrectly patch a serious
IE exploit. Now tell me, Mr. Ballmer, Mr. Gates: Which is the better
development model?
</quote>

When Bill Gates tells you that Microsoft patches fastest and best... Do you
believe him? Or is Bill Gates LYING?

8^)

Best regards,

Brian
Linux Mystic
open sorcerer

Path: g2news1.google.com!postnews2.google.com!not-for-mail
From: "MIGuy" <Mich1...@gmail.com>
Newsgroups: microsoft.public.msn.discussion
Subject: Re: Patched in 60 Seconds
Date: 9 Jul 2004 09:45:35 -0700
Organization: http://groups.google.com
Lines: 5
Message-ID: <ccmi3f$c57@odbk17.prod.google.com>
NNTP-Posting-Host: odbk17.prod.google.com
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
X-Trace: posting.google.com 1089391535 14724 127.0.0.1 
(9 Jul 2004 16:45:35 GMT)
X-Complaints-To: groups...@google.com
NNTP-Posting-Date: Fri, 9 Jul 2004 16:45:35 +0000 (UTC)
In-Reply-To: <AzzHc.55859$WB5.44195@pd7tw2no>
User-Agent: G2/0.1
Xref: g2news1.google.com microsoft.public.msn.discussion:1429

Only you can turn a Mozilla security problem item into a bash Microsoft
thread.  You not only beat a dead horse to death, but you back up and
do it again to the point of boring the he$$ out of me.  Rest it awhile,
its not even newsworthy.

Path: g2news1.google.com!news1.google.com!news.glorb.com!prodigy.com!
pd7cy2so!shaw.ca!pd7tw2no.POSTED!53ab2750!not-for-mail
X-Trace-PostClient-IP: 24.86.202.85
From: Brian <br...@stanley-park.com>
Subject: Re: Patched in 60 Seconds
Newsgroups: microsoft.public.msn.discussion
Reply-To: br...@stanley-park.com
References: <ccmi3f$c57@odbk17.prod.google.com>
Lines: 33
User-Agent: KNode/0.7.7
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7Bit
Message-ID: <R7FHc.58342$WB5.27168@pd7tw2no>
Date: Fri, 09 Jul 2004 22:38:41 GMT
NNTP-Posting-Host: 24.71.223.147
X-Complaints-To: ab...@shaw.ca
X-Trace: pd7tw2no 1089412721 24.71.223.147 (Fri, 09 Jul 2004 16:38:41 MDT)
NNTP-Posting-Date: Fri, 09 Jul 2004 16:38:41 MDT
Organization: Shaw Residential Internet
Xref: g2news1.google.com microsoft.public.msn.discussion:1431

MIGuy wrote:
> Only you can turn a Mozilla security problem item into a bash Microsoft
> thread.  You not only beat a dead horse to deathsupposedou back up and
> do it again to the point of boring the he$$ out of me.  Rest it awhile,
> its not even newsworthy.

How is that you appear incapable of properly 'replying' to a newgroup post?

Why do your 'replies' start a new thread rather than append themselves to
the existing thread?

Perhaps *YOU* should buy a clue about common newgroup methods before you
start accusing others of boring you.

And by the way, what do you mean when you say 'bore the he$$ out of me'? Why
are you using dollar signs for your Ss and what does 'hess' mean?

Look over this newsgroup to see how people reply to posts and then ask
yourself, 'What am I doing wrong'?

As for my post not being newsworthy, I have to disagree and so do all the 
news agencies that carried the story all over the 'Net - Perhaps you are
wrong!

Have a nice day and polish up on how to *properly* post a reply in a
newsgroup so you won't make such a fool of yourself next time.

Best regards,

Brian
Linux Mystic
open sorcerer