[plug] Re: FW: Interesting Study

garry garbuck at tpg.com.au
Sat Aug 17 20:29:15 WST 2002


If Windows is providing the crypto services, and the nice man ftom microsoft 
didn't-say-but-meant "doesnt affect any other MICROSOFT application outside 
of internet exploder", this would mean that windows versions of NS opera etc 
are vulnerable.

Should you choose to think i am crying wolf due to misinterpreting the stuff 
between the lines.. ok. But if you think that maybe microsoft has other than 
an exemplary record on security matters, and if you prefer to err on the side 
of caution when it comes to your banking security, you may choose to warn 
your family and friends about a possible vulnerability.

That's what I did.

Regards

Garry

> Erm... actually I seem to remember reading that while the code is in
> windows, not IE (and what's the difference here anyway??), the flaw only
> affects IE. At least, according to MS.
>
>  From the article you just refered to:
>
> "Company officials added that the flaw isn't in Microsoft's CryptoAPI
> application program interface (CAPI) either, which would have left a
> number of applications and Windows services vulnerable, not just
> Internet Explorer."
>
> <snip>
>
> "But Culp said that the SSL flaw doesn't affect any other application
> outside Internet Explorer and that it's a client-side issue only."
>
> The key point here is that, at least according to MS (and I haven't
> heard anybody argue with them about it yet) while the code resides in
> the OS (libs I assume), the fault only affects MSIE. This suggests to me
> that its actually in one of the libs that only need to be in IE but got
> incorporated into the OS proper to make it harder to rip out / replace
> IE. *sigh*.



More information about the plug mailing list