Cookie Security Hole Again? Not Who You'd Expect

Hmmm

Submitted by nick123 on January 29, 2002 - 16:24.

At least you don't have to upgrade xmms to fix NS, unlike some other products. :) Only joking..this 'hole' should have been made more public..i just think the article came across as flame bait and i don't think OS bashing helps MS users or non-MS users. Although i'd conceed the linux crowd seem to take more pleasure in bashing MS :)

login or register to post comments

Re: Hmmm

Submitted by Jeff Howden on January 29, 2002 - 16:41.

Nick,

"At least you don't have to upgrade xmms to fix NS, unlike some other products. :)"

I'm not sure what you mean by "xmms". From the link you posted it sounds like you're talking about a security issue related to Windows Media Player — quite a different issue than the Microsoft cookie hole I mentioned in my article which is far more similar to this Netscape security hole. The patch for the recent cookie hole in Internet Explorer is very small.

I agree the hole should have been made more public. Maybe if it had been, Netscape would have made more of an effort to correct it sooner. That tactic appears to work quite well with Microsoft.

I also agree that OS bashing doesn't help anybody. However, you'll notice that I don't say anybody is better than anybody else. All I'm saying is that I found it funny that Netscape — a model open source project — is guilty of the very thing (to a worse degree in this instance) that many in the anti-Microsoft crowd bash Microsoft for. I guess all I'm trying to say is that you should look before you leap. You never know when that once-clean landing zone might have a pile of poo in it to "pad" your landing next time.

.jeff

login or register to post comments

Fair cop Jeff

Submitted by andrewpander on January 30, 2002 - 00:44.

Ok Jeff. Fair cop. :)

Just how quickly, though, MS reacted to the cookie vulnerability is questionable. Some say the middle of November, some say the eighth of November (including Microsoft, I think), other sites say it was the first of November. I should go collect some urls.

That said, the mozilla vulnerability is far more severe. The implications for those brands of linux which attempt an 'easy-to-use' approach to unix (ie, if it ain't in an rpm you're in trouble pal) will be worse still. If you can't upgrade your version of mozilla because it will break evolution / the built in help system / your system configuration utility, then you've definitely landed on the wrong 'pad'.

Cheers

login or register to post comments

Re: Fair cop Jeff

Submitted by Jeff Howden on January 30, 2002 - 01:15.

Andrew,

Just how questionable can Microsoft's reaction be? According to some of the first posts on NTBugTraq where it was first made public outside of the notifications to Microsoft, it's noted that Microsoft was informed of this bug on the 1st of November. According to Microsoft's Tech Bulletin (noted in my article above), a patch was available on the 13th. The story hit the news sites on the 8th, the same day Microsoft created the Tech Bulletin. On the 13th, they updated it to include the patch and additional information. Depending on how you look at it, they either responded in less than two weeks, a far cry better than 1½ months, or they responded in about 4 days. Either way it was quick and thorough.

Thanks for the additional insigth into the potential severity of the Mozilla bug. I had no idea there was so much extra potential impact for this one. I guess I was naive to think that Microsoft was the only one creating so many dependencies these days.

<duck>

.jeff

login or register to post comments

Not really ironic

Submitted by djc on January 30, 2002 - 10:59.

With all the buzz around these days by the anti-Microsoft crowd about how insecure Microsoft's Internet Explorer is, it's quite ironic to see a security notice come out about a cookie problem existing in the anti-Microsoft crowds' browser of choice — Mozilla.

Theres a lot of buzz about how insecure MS's browser is by a lot of people, not just anti-MS zealots. Thats because IE has a well known history for security issues. As for 'ironic', I think it's ironic that if the company/browser names were switched in this article, it would be label as "Anti-MS Crowd" zealotry ( If it were even approved, that is.) that this article makes such a huge deal about. If the zealotry is such a terrible thing thats to be looked down upon, why not just talk about the bug and related info instead of coming off as part of the 'anti-NS' crowd?

login or register to post comments

Re: Not really ironic

Submitted by Jeff Howden on January 30, 2002 - 12:45.

Dan,

Let me just say that, yes, there is buzz from more than just the anti-Microsoft crowd (note I haven't once used the term zealot — that's your own label). However, the loudest noise, heckling, and general foulness comes from the anti-Microsoft crowd. The rest seem to be satisfied with simply reporting the details and moving on.

Actually, if you'd bothered to look, there are several other news articles here on the site that mention security holes in Internet Explorer. In none of those do I see any complaints that the articles are "'Anti-MS Crowd' zealotry".

zealotry

Excessive zeal; fanaticism.

excessive intolerance of opposing views

The character and behavior of a zealot; excess of zeal; fanatical devotion to a cause.

Why am I defining zealotry here? It's simple really. My take on the current situation is that the "zealots" forgot to look around them before making noise. While they are busy running off at the mouth about how bad Microsoft is, they've inadvertantly missed the fact that Mozilla has fallen into the same quagmire Microsoft is usually associated with and had a much more difficult time climbing out. Hmmm, re-reading that passage it seems I should use the word "hypocrite" instead. But hey, I wasn't the one that used the word "zealot" to begin with.

All I'm saying — in case you've still missed it — is that if you (you in general, not you specifically Dan) are going to hold someone (Microsoft) to one standard then you should hold everybody else (Mozilla, Opera, Konqueror, etc.) to that same standard. Otherwise you come off as a zealot and will have your opinions discounted as unfounded, hypocritical flame-bait.

.jeff

login or register to post comments

Blame the Media ...

Submitted by Mishka on January 30, 2002 - 18:58.

My take would be .. it boils down to what makes news and what affects more people. The media controls that. If the story had been big enough and the media had gotten wind of it, it would have been reported, and probably fixed much sooner. He who screams loudest gets heard the most?? ;)

Anyway, now I'm really ticked off that NS has gone to a setup download for their browser. It was one of the reasons I liked having NS at my parents.. I could download it for them on a cable modem, write it to disk, drive the hour to their place, far quicker than trying to download the file off their 28.8 connection. Sigh. Looks like I have to switch to the dark side anyway, as their accounting and banking software will no longer support NS very soon.

Laters, Mich

login or register to post comments

Is consistency in scrutiny too much to ask?

Submitted by spongepuppy on February 2, 2002 - 02:54.

Much of the internet technical news media is strongly aligned with or probably run by the Open Source hippies anyway. That's hardly unsurprising, since they're the people who have an intrinsic interest in such issues. I do find it rather irritating that the pet open source projects of the age are not looked upon with the same critical eye as many other [commercial] software projects.

A good case in point is the GIMP user interface. Although you can forgive it when you're looking through Open Source goggles, the fact GIMP workflow versus Photoshop [or even Paint Shop Pro] workflow leaves a great deal to be desired. It doesn't mean that GIMP isn't a good application - but there isn't the sheer critical pressure on many open source projects that there needs to be to ensure the enduring quality of these projects.

It does, however, grieve me deeply to compare an excellent product like mozilla to something as unpolished as GIMP. Mozilla is an excellent product, but it would be nice to see some consistency in the manner in which open source products are scrutinized.

login or register to post comments

Mozilla is irrelevant - Resistance is futile

Submitted by themadman on February 2, 2002 - 08:18.

This doesn't really worry me. Why? Because Mozilla will probably never be released in this decade, and if and when it finally is released, I hardly expect droves of people (other than the aforementioned zealots) switching from their current browser.

Microsoft's product security problems get more media attention simply because of the number of people who use their products, and hence the greater impact of the problem.

Of course, this article isn't about Microsoft versus the rest of the world, so let the comments not degenerate into that ;)

login or register to post comments

Re: Mozilla is irrelevant - Resistance is futile

Submitted by mwarden on February 2, 2002 - 12:44.

themadman,

I'm not sure what you mean by "Mozilla will probably never be released in this decade..." There have been many releases of the product. Unless you're talking about the 1.0 release. But, you have to understand that you're comparing apples and oranges when you consider coporate software releases and open source software releases. The goals of the two types of releases are much different.

And, surely the reason(s) Microsoft's security issues get greater media attention is more than just "more people use it". There is a "hate the big, evil coporation who did such mean things that they were charged with monopolizing the industry" aspect to it all, however large the degree (and maybe truth). I think your statement is an oversimplification.

login or register to post comments

my stupid notes

Submitted by tunemx on February 11, 2002 - 12:34.

1. Anti MS zealots have choices. If they are bothered by Mozilla's cookie exploit, they can run Konqueror, Galeon (though same engine), etc. What can MS users choose?
2. Anti MS zealots get Mozilla for free. What about MS people?
3. Mozilla probably does not have as much developer for the project as MS has. Am I right?

login or register to post comments

phear the cookies!

Submitted by htd on February 20, 2002 - 05:21.

I think this is not a severe security exploit. In this case only cookies registered for toplevel domains like .microsoft.com and NOT www.microsoft.com can be read. I didn't count them, but i think cookies that are set for top-level domain-names are quite rare on my machine... I also can't see what's so insecure about readable cookies - most of them contain some weird encoded data only the originating page can read.

considering security issues i wouldn't choose MS products instead of open-source or another companies solution - Code Red for their web-server, Script virus for their complete office line, sensitive data (changes-history, username, creationdate, file-path) saved within office documents and so forth. Maybe there's more exploits for MS stuff because more people use these products, maybe exploits spread like crazy because more morons use these products - i think it's because programmers at MS are too lazy to design and create quality software (except for their winNT series which work quite well, as long as you don't use the addons it brings with (IE, IIS,...)).

p.s.: in case you're wondering, i currently use win2k and Opera6.0 to post this message.

login or register to post comments

Mozilla was in beta at this point

Submitted by mjp on June 6, 2002 - 12:57.

An important point that seems to not have entered the author's mind is that Mozilla was not officially released at this point. So there was a bug? Well, that's what beta releases are for...to find and combat bugs. Microsoft bugs are in production software, which the Mozilla developers never claimed this was. If this was fixed in 0.9.7, that was before a production release. What exactly is the problem?

login or register to post comments