July 05, 2004

Extraordinary CERT Alert

US-CERT Vulnerability Alert 713878 is a real jaw dropper. It talks about one more in a long line of vulnerabilities affecting Microsoft Internet technology extensions. These technology extensions are at the heart of Microsoft's highly successful strategy for dominating the web browser market. By providing highly useful functionality that only works with MS internet technology and not releasing it as a standard, Microsoft tempts many site developers to use their technology extensions and shut out alternative providers both in the application space (mail readers) and the OS space.

There is no practical fix for this, and several other holes at time of writing that lets you continue business as usual and it doesn't look like there's going to be a practical fix anytime soon as you're talking about stuff that's deep in the guts of MS' Internet technology suite. It's quite likely that a lot of neat and useful stuff depends on the broken services remaining broken.

Furthermore, since Microsoft made the decision to integrate these technologies into Windows itself, other code can invoke the broken technology. No longer using IE and Outlook is a reasonable solution for a medium level institution but for high security need installations such as banks, the only solution is to drop IE, Outlook, and Windows itself.

What's more astounding is that US-CERT is essentially the US government. It's a public/private partnership with the public part being the US Department of Homeland Security.

Unfortunately, some commentary doesn't quite get it and only remarks on the "get rid of IE" portion of the last abatement recommendation. That's fine, as far as it goes, but as long as the unsecure code is on your system and isn't likely to get fixed, it's irresponsible not to extricate your company from using Windows as soon as possible.

Posted by TMLutas at July 5, 2004 10:27 AM