Vulnerability - Oscars awarded (Pwine 2010)

[Asyn]

The Pwine Awards 2010...
http://pwnies.com/winners/
asyn

[Asyn]

That one is rather funny...!!
Go here for further info: http://p42.us/ie8xss/
asyn


Pwnie for Most Epic FAIL

Sometimes giving 110% just makes your FAIL that much more epic. And what use would the Internet be if it wasn't there to document this FAIL for all time?

This award is to honor a person or company's spectacularly epic FAIL.

- Microsoft Internet Explorer 8 XSS filter

Internet Explorer 8 was released with built in cross-site scripting filters which, for nearly a year after release, enabled cross-site scripting on otherwise secure sites. Ironic. Epic. Fail.

[bob3160]

What is Epic FAIL
I've heard of an Epic Failure

[polonus]

Hi bob3160,

We can discuss if it was related to the verb fail (epic fail moment), because Microsoft failed and because the results were ironically miserable, the IE8 XSS-filter made that secure sites that were not vulnerable before the filter became vulnerable through implementing the filter, and that was the epic part to grant the award. And it was a MS failure also because the intention was good but the end result was miserable, so they got the award both for an epic fail on an XSS filter that was a failure,
by the way the XSS filter of NS has not been beaten and firekeeper is also a very reasonable filter in this respect,

polonus

[Dch48]

Hi bob3160,

We can discuss if it was related to the verb fail (epic fail moment), because Microsoft failed and because the results were ironically miserable, the IE8 XSS-filter made that secure sites that were not vulnerable before the filter became vulnerable through implementing the filter, and that was the epic part to grant the award. And it was a MS failure also because the intention was good but the end result was miserable, so they got the award both for an epic fail on an XSS filter that was a failure,
by the way the XSS filter of NS has not been beaten and firekeeper is also a very reasonable filter in this respect,

polonus

I don't see where the end result was "miserable" the article clearly states that the filter was effective in the great majority of instances and that the exploits were rare. It is also a fact that this problem has been resolved.

[polonus]

Hi Dch48,

I cannot see why else MS got the award, certainly not because they did a particular good job there. And it is patched, but I said above it was a fail moment. But we should keep MS on the ball else they lean back and think of other issues than security related ones, and you also get situations you want to avoid like official recommendations from UK government officials that they will not dump IE6 because of software compatibility issues and  tax-payer cost-effectiveness. I rather would start to do this now as when it becomes inevitable then they will have really serious problems arising, that will create greater costs to the taxpayer then hanging in with a less-secure IE6. Well there are folks in that country there that still taking their Fortran course to keep official software going, stemming way back from before the days of Windows NT4 when I did the official MS admin training "together with the kernel" round the days of the change of the Millennium, (so I am MS trained)

polonus

[Dch48]

Keeping IE6 is ridiculous as well as training people in Fortran but cost effectiveness is a factor. I just always take criticisms of MS and other industry leaders like Symantec with a large dose of salt because of the "Bring down the big guy" syndrome. I completely trust anything by either MS or Symantec and will use them over other offerings if possible and cost effective. Norton is no longer cost effective for me but it's still a fine product. The only MS product I have ever tried and had problems with was MSE. I'm sure they will get it ironed out though.

[mkis]

NoScript vs. Internet Explorer 8 Filters

http://www.zdnet.com/blog/security/noscript-vs-internet-explorer-8-filters/1421

[Asyn]

I completely trust anything by either MS or Symantec and will use them over other offerings if possible and cost effective.

http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100727_01
asyn

[bob3160]

I completely trust anything by either MS or Symantec

Unfortunately trusting anything created and controlled by humans, will sooner or later result in disappointment. 

[mkis]

+1
and most time that's why we contribute to these forums, to help alleviate the disappointments

[polonus]

Hi mkis,

But sometimes it can also be turned into the opposite of what you say, and I for instance also like to add to a user's feeling of satisfaction, software can also bring joy and sometimes do the little extra beyond what you expect of it,

polonus

[mkis]