Coffeehouse Thread

27 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

MS05-025

Back to Forum: Coffeehouse
  • User profile image
    Cairo

    http://www.microsoft.com/technet/security/bulletin/ms05-025.mspx

    Impact of Vulnerability: Remote Code Execution

    "Buffer overflow in the PNG image rendering component of Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted PNG file."

    At least it's patched now.

    We continue to use FireFox as the standard browser at my company, but all those "IE Embedded" applications, like Outlook, are perhaps a little safer now.




  • User profile image
    W3bbo

    ...they could have patched the transparency handling whilst they were at it.....

  • User profile image
    BruceMorgan

    Actually, we can't do that. Security updates are solely for security related fixes and in some cases bug fixes to existing functionality.
     
    Adding alpha blending PNG support is a feature, not a bug fix. We can't put feature additions or upgrades into a security update, even if 99% of the customer base wants the feature added.

    There are many reasons for that, some of which are obvious and some are not.  I'm sure you can figure it out.

  • User profile image
    W3bbo

    BruceMorgan wrote:
    Adding alpha blending PNG support is a feature, not a bug fix.


    Oh, I'm sure that's debatable Wink

  • User profile image
    BruceMorgan

    No, it's not debatable.  The scope of work is well beyond what a reasonable person would call a bug fix.

    Would you say that full support for alpha transparency is a feature of other browsers that IE6 doesn't support? Perhaps even an advantage of those other browsers?

  • User profile image
    Maurits

    +1 on "alpha transparency is a feature", not a bug

  • User profile image
    W3bbo

    What I mean is that IE's lack of PNG transparency support in this day and age would be considered a bug in the PNG renderer. Not that it would be "just" a bugfix to correct.

  • User profile image
    Shaded

    BruceMorgan wrote:
    No, it's not debatable.  The scope of work is well beyond what a reasonable person would call a bug fix.

    Would you say that full support for alpha transparency is a feature of other browsers that IE6 doesn't support? Perhaps even an advantage of those other browsers?



    Sure but only the most hardcore geeks would care enough to notice.

    The only obvious reason I can think of is adding new features may introduce more bugs.  Is that one of the obvious, not so obvious or not a reason at all for not adding it?  (Hope that makes sense.  No sarcasm I really would like to know.)

    I get the feeling this is yet another case of Microsoft being too sensitive to the whiners of the world.  I mean if a small company can adapt faster than Microsoft simply because they have (slightly) lower reliability of updates... that's crap.

    Too bad you can't choose your risk level with updates.  "Give me the bleeding edge"  or "I only want to run what everyone else has bugtested for at least 5 years" with everything in between.

  • User profile image
    BruceMorgan

    W3bbo, that's just changing the definition of "bug fix" to suit your argument.

  • User profile image
    AndyC

    W3bbo wrote:
    What I mean is that IE's lack of PNG transparency support in this day and age would be considered a bug in the PNG renderer. Not that it would be "just" a bugfix to correct.


    Even if it is a bug, it's not a security issue and therefore has no place in a security fix.

  • User profile image
    Minh

    BruceMorgan wrote:

    Would you say that full support for alpha transparency is a feature of other browsers that IE6 doesn't support? Perhaps even an advantage of those other browsers?
    Isn't that like saying the pope is infallible because he gets to define the word? Maybe no one is using the feature because IE doesn't support it. We know the effort involved in making it support the alpha channel, it's just that, you're in geek territory here Smiley You're not going to get much sympathy by saying it hard to do.

  • User profile image
    BruceMorgan

    Shaded wrote:
    Sure but only the most hardcore geeks would care enough to notice.

    The only obvious reason I can think of is adding new features may introduce more bugs.  Is that one of the obvious, not so obvious or not a reason at all for not adding it?  (Hope that makes sense.  No sarcasm I really would like to know.)

    I get the feeling this is yet another case of Microsoft being too sensitive to the whiners of the world.  I mean if a small company can adapt faster than Microsoft simply because they have (slightly) lower reliability of updates... that's crap.


    Yes, that's one of the obvious reasons, since all new features risk introducing new bugs. But it's not an signficant reason for why we don't introduct features in security updates, because there are many ways to mitigate that risk.

  • User profile image
    BruceMorgan

    Minh wrote:
    You're not going to get much sympathy by saying it hard to do.
    I never said it was hard to do - I said it wasn't a bug fix.

  • User profile image
    Sven Groot

    Bruce, while you're here, mind commenting on this? Even though it's not strictly an IE bug, a lot of people will perceive it as such.

  • User profile image
    msemack

    W3bbo wrote:
    What I mean is that IE's lack of PNG transparency support in this day and age would be considered a bug in the PNG renderer. Not that it would be "just" a bugfix to correct.


    PNG transparency is an OPTIONAL part of the specification.  It is not mandatory to support it.

    http://www.w3.org/TR/PNG/

    IE's PNG support is compliant with the specification.

    It is absolutely a feature to be added, not a bug to be fixed.

  • User profile image
    DoomBringer

    Cairo wrote:
    http://www.microsoft.com/technet/security/bulletin/ms05-025.mspxImpact of Vulnerability: Remote Code Execution"Buffer overflow in the PNG image rendering component of Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted PNG file."At least it's patched now.We continue to use FireFox as the standard browser at my company, but all those "IE Embedded" applications, like Outlook, are perhaps a little safer now.
    Well, I blame Linus Torvalds.  He's a (I need to watch my language)!

  • User profile image
    rjdohnert

    Sven Groot wrote:
    Bruce, while you're here, mind commenting on this? Even though it's not strictly an IE bug, a lot of people will perceive it as such.


    That comes from a Device Driver flaw in most  video cards.   But it is appears to be neither a Windows or an IE bug.  If you wanna mess with somebody tho, make that page their start page. Smiley

  • User profile image
    manickernel

    Sven Groot wrote:
    Bruce, while you're here, mind commenting on this? Even though it's not strictly an IE bug, a lot of people will perceive it as such.


    Hey, the crash report took me to this KB Article

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.