[plug] Re: FW: Interesting Study

Craig Ringer craig at postnewspapers.com.au
Sat Aug 17 22:25:24 WST 2002 

> If Windows is providing the crypto services, and the nice man ftom microsoft 
> didn't-say-but-meant "doesnt affect any other MICROSOFT application outside 
> of internet exploder", this would mean that windows versions of NS opera etc 
> are vulnerable.

Fair enough - didn't really consider that. OTOH as a devil's advocate 
style counterpoint: do you really think that MS would allow 3rd parties 
to use the IE/win crypto APIs?

> Should you choose to think i am crying wolf due to misinterpreting the stuff 
> between the lines.. ok.

Nah. You're probably right - but I don't think its wise to _assume_ its 
the case because it might be.

> But if you think that maybe microsoft has other than 
> an exemplary record on security matters, 

*lol* Errm Outlook Express?!? *snigger*

> and if you prefer to err on the side 
> of caution when it comes to your banking security, you may choose to warn 
> your family and friends about a possible vulnerability.

Makes sense. I'd just choose to say "known hole in IE, fault lies in OS. 
Fault does not affect other MS tools/apps and it is not yet known 
whether it affects any other product."

I would expect one of the first things the initial discoverer did was 
test other browsers on win32 as part of their checks of what browsers 
were affected. They checked konq on linux so its quite likely they 
will've checked moz, etc too and probably on both win32 & linux. Not a 
safe assumption, I admit - but if other browsers were vunlnerable it 
would've come out by now.

I wouldn't trust MS's word for it, but MS's word plus the fact that no 
other browser team has said that they're vulnerable, the original 
discoverer tested multiple browsers, and nobody's shot MS down in flames 
over their clames all come togeather to indicate that they're probably 
not BSing.

I didn't mean to flame if that's how it sounded in my prev message. All 
I was trying to say is that the _article_ didn't say all that, and you 
hadn't drawn an implicit or explicit line between your 
extensions/interpretations and what was summary of the article.

More information about the plug mailing list