Vintage Erotica Forums - View Single Post

**Rick Danger** · July 28th, 2015, 03:52 AM

If you have an updated browser product, Edge, included in Windows 10, why would you include the still vulnerable Internet Explorer ?

Why ?

HP's ZDI discloses 4 new vulnerabilities in Internet Explorer

ZDI went public after extending the disclosure deadline twice with no fix forthcoming from Microsoft

InfoWorld - Jul 23, 2015

HP's Zero Day Initiative (ZDI) doesn't cut much slack with its 120-day disclosure policy. When ZDI knocks on your door and says you have a security hole, you get 120 days to fix it or risk full public disclosure. That's what happened -- again. With ZDI and Microsoft -- again. Over Internet Explorer -- again.

Rather than spilling all the beans, ZDI offers a tantalizing hint at what the problems entail. If the ZDI whistleblowers successfully walk the fine line, they'll spur Microsoft to take action without supplying information to the bad guys. All the while, of course, ZDI offers its own protection against the vulnerability, so it's hardly a zero-sum game.

The timeline published by ZDI in this case looks remarkably lenient. ZDI notified Microsoft of the first vulnerability on Nov. 12, 2014. It extended the disclosure deadline to May 12, 2015, then extended it again to July 19. "The vendor [Microsoft] replied with an expected build, but not a date." With no fix forthcoming, ZDI went public on July 22.

Here are the vulnerabilities, as reported by ZDI:

ZDI-15-359: Microsoft Internet Explorer CTableLayout::AddRow Out-Of-Bounds Memory Access Vulnerability

ZDI-15-360: Microsoft Internet Explorer CAttrArray Use-After-Free Remote Code Execution Vulnerability

ZDI-15-361: Microsoft Internet Explorer CCurrentStyle Use-After-Free Remote Code Execution Vulnerability

ZDI-15-362: Microsoft Internet Explorer CTreePos Use-After-Free Remote Code Execution Vulnerability

The general advice is to avoid using Internet Explorer. Bet you've heard that one before.

UPDATE: Sources close to the fray confirm that three of the four vulnerabilities only appear in the mobile version of Internet Explorer. One, ZDI-15-359, did affect the desktop version, but it's already been patched.

July 28th, 2015, 03:52 AM	#137
Rick Danger Vintage Member Join Date: Apr 2008 Location: In the Chill lounge..... Posts: 1,725 Thanks: 6,794 Thanked 31,390 Times in 1,714 Posts	Why, oh why ???? If you have an updated browser product, Edge, included in Windows 10, why would you include the *still* vulnerable Internet Explorer ? Why ? HP's ZDI discloses 4 new vulnerabilities in Internet Explorer ZDI went public after extending the disclosure deadline twice with no fix forthcoming from Microsoft InfoWorld - Jul 23, 2015 HP's Zero Day Initiative (ZDI) doesn't cut much slack with its 120-day disclosure policy. When ZDI knocks on your door and says you have a security hole, you get 120 days to fix it or risk full public disclosure. That's what happened -- again. With ZDI and Microsoft -- again. Over Internet Explorer -- again. Rather than spilling all the beans, ZDI offers a tantalizing hint at what the problems entail. If the ZDI whistleblowers successfully walk the fine line, they'll spur Microsoft to take action without supplying information to the bad guys. All the while, of course, ZDI offers its own protection against the vulnerability, so it's hardly a zero-sum game. The timeline published by ZDI in this case looks remarkably lenient. ZDI notified Microsoft of the first vulnerability on Nov. 12, 2014. It extended the disclosure deadline to May 12, 2015, then extended it again to July 19. "The vendor [Microsoft] replied with an expected build, but not a date." With no fix forthcoming, ZDI went public on July 22. Here are the vulnerabilities, as reported by ZDI: ZDI-15-359: Microsoft Internet Explorer CTableLayout::AddRow Out-Of-Bounds Memory Access Vulnerability ZDI-15-360: Microsoft Internet Explorer CAttrArray Use-After-Free Remote Code Execution Vulnerability ZDI-15-361: Microsoft Internet Explorer CCurrentStyle Use-After-Free Remote Code Execution Vulnerability ZDI-15-362: Microsoft Internet Explorer CTreePos Use-After-Free Remote Code Execution Vulnerability The general advice is to avoid using Internet Explorer. Bet you've heard that one before. UPDATE: Sources close to the fray confirm that three of the four vulnerabilities only appear in the mobile version of Internet Explorer. One, ZDI-15-359, did affect the desktop version, but it's already been patched.