[Owasp-singapore] [security-77] Does the DirectDraw vulnerability affect non-IE browser too?

Wong Onn Chee ocwong at usa.net
Tue Jul 14 23:19:35 EDT 2009


Hi Winston,

Agree, we (at least for me) are not saying which browser is better than
the other.
Just as you said that FF (or Opera and Safari) has its own share of
vulnerabilities.
This topic is not about a browser war. :-)

Instead, I want to highlight that the usual practice of a single browser
in corporates is high risk and should be discouraged.
It is common sense that we do not put all our eggs in 1 basket.
And if we can do so for our security systems, such as F/W, why not apply
such good practice to the browser too?

I strongly advocate a dual browser environment for corporates, so that
organisations can enjoy the flexibility of switching browsers (can be
temporary) when any unpatched vulnerabilities in one of the browser are
found. To achieve this, all internal web applications must be
cross-browser compatible. Hence, the IS team must also work with the
apps team to achieve better protection from browser vulnerabilities.

Lastly, as a matter of curiosity, you mentioned that the recent IE is a
plugin problem.
So can we uninstall DirectDraw plugin from IE?
If yes, can you share with group?
Uninstallation, if possible, should be more effective than the MS method.




On 07/15/2009 11:00 AM, Winston.Leong at sg.ey.com wrote:
> To be fair, this vulnerability affected a particular plugin in IE, not the
> browser itself.
>
> All browsers has their own issues, you install one, you make sure you patch
> that one more. I believe safe browsing is still the fundamental protection
> that is required rather than a technical solution.
>
> Just for the scoreboard, Firefox just got 0-dayed against with another
> vulnerability.
> http://www.f-secure.com/vulnerabilities/SA200903371
>
> Regards, Winston Leong
>                                                                                                       
>  (Embedded image moved   Winston Leong | Technology and Security Risk Services                        
>  to file: pic32371.gif)                                                                               
>                                                                                                       
>                          Ernst & Young Risk Advisory Services Pte. Ltd                                
>                                                                                                       
>                          One Raffles Quay, North Tower, Level 18, Singapore 048583                    
>                                                                                                       
>                          Office: +65 6309 6766 | Fax: +65 6532 7662                                   
>                                                                                                       
>                          Mobile: +65 9028 3600                                                        
>                                                                                                       
>                          Website: www.ey.com                                                          
>                                                                                                       
>                          Thank you for considering the environmental impact of printing emails.       
>                                                                                                       
>
>
>
>
>
> The information contained in this communication is intended solely for the
> use of the individual or entity to whom it is addressed and others
> authorized to receive it. It may contain confidential or legally privileged
> information. If you are not the intended recipient you are hereby notified
> that any disclosure, copying, distribution or taking any action in reliance
> on the contents of this information is strictly prohibited and may be
> unlawful. If you have received this communication in error, please notify
> us immediately by responding to this email and then delete it from your
> system. We are neither liable for the proper and complete transmission of
> the information contained in this communication nor for any delay in its
> receipt.
>
> Ernst & Young LLP (UEN T08LL0859H) is an accounting limited
> liability partnership registered in Singapore under the Limited Liability
> Partnerships Act (Chapter 163A). On 1 July 2008, it was converted from a
> firm to a limited liability partnership.
>
> Ernst & Young Solutions LLP (UEN T08LL0784H) is a limited
> liability partnership registered in Singapore under the Limited Liability
> Partnerships Act (Chapter 163A).
>
> Ernst & Young Advisory Pte. Ltd. is a company incorporated in Singapore
> with UEN 198905395E.
>
> Ernst & Young Corporate Finance Pte Ltd is a company incorporated in
> Singapore with UEN 199702967E.
>
> Ernst & Young Customs & International Trade Services Private Limited is a
> company incorporated in Singapore with UEN 200206660G.
>
>                                                                            
>              fs chan                                                       
>              <chanfs16 at gmail.c                                             
>              om>                                                        To 
>              Sent by:                  Wong Onn Chee <ocwong at usa.net>      
>              owasp-singapore-b                                          cc 
>              ounces at lists.owas         security-77 at meetup.com,             
>              p.org                     owasp-singapore at lists.owasp.org     
>                                                                    Subject 
>                                        Re: [Owasp-singapore] [security-77] 
>              13/07/2009 09:36          Does the DirectDraw                 
>              PM                        vulnerability affect non-IE browser 
>                                        too?                                
>                                                                            
>                                                                            
>                                                                            
>                                                                            
>                                                                            
>                                                                            
>
>
>
>
> yes, and usually IE is the one browser...  i am still wondering why....
>
>
>
>
> On Sun, Jul 12, 2009 at 5:37 PM, Wong Onn Chee<ocwong at usa.net> wrote:
>   
>> Thanks, Aung.
>>
>> This incident further gives merit to the good� practice to use multiple
>> browsers. :-)
>>
>> That's why I find corporates, who standardise on only 1 browser, look a
>>     
> bit
>   
>> naive in terms of web security.
>>
>> Just like one should not only have firewalls from a single vendor, one
>> should not only use web browser from a single vendor too.
>>
>> But well, good advice tends to fall on deaf ears.
>>
>> And many in Singapore have deaf ears. ;-)
>> LOL.
>>
>> Cheers
>> Onn Chee
>>
>> On 07/11/2009 11:59 PM, Aung Khant wrote:
>>
>> only IE 6,7 under
>>
>> Windows XP Service Pack 2 and Windows XP Service Pack 3
>> Windows XP Professional x64 Edition Service Pack 2
>> Windows Server 2003 Service Pack 2
>> Windows Server 2003 x64 Edition Service Pack 2
>> Windows Server 2003 with SP2 for Itanium-based Systems
>>
>>     
>>> The compromised websites link to a series of servers that exploit a
>>> zero-day vulnerability in an IE component that processes media. The
>>> vulnerability affects those using the XP and 2003 versions of Windows,
>>> Microsoft warned in this advisory.
>>>       
>> On Sat, Jul 11, 2009 at 8:18 AM, Wong Onn Chee <ocwong at usa.net> wrote:
>>     
>>> Hi,
>>>
>>> Does anyone know whether the latest MS vulnerability also affect non-IE
>>> browsers, such as Firefox and Opera, in Windows?
>>>
>>> Regards
>>> Onn Chee
>>>
>>>
>>>
>>>
>>> --
>>> Please Note: If you hit "REPLY", your message will be sent to everyone
>>>       
> on
>   
>>> this mailing list (security-77 at meetup.com)
>>> http://security.meetup.com/77/
>>> This message was sent by Wong Onn Chee (ocwong at usa.net) from The
>>>       
> Singapore
>   
>>> Security Meetup Group.
>>> To learn more about Wong Onn Chee, visit his/her member profile:
>>> http://security.meetup.com/77/members/1756147/
>>> To unsubscribe or to update your mailing list settings, click here:
>>> http://www.meetup.com/account/comm/
>>> Meetup Support: support at meetup.com
>>> 632 Broadway, New York, NY 10012 USA
>>>
>>>       
>>
>> --
>> Best Regards
>> YGN Ethical Hacker Group
>> http://yehg.net
>>
>>
>>
>>
>>
>> --
>> Please Note: If you hit "REPLY", your message will be sent to everyone on
>> this mailing list (security-77 at meetup.com)
>> This message was sent by Aung Khant (aungkhant at yehg.net) from The
>>     
> Singapore
>   
>> Security Meetup Group.
>> To learn more about Aung Khant, visit his/her member profile
>> To unsubscribe or to update your mailing list settings, click here
>>
>> Meetup Support: support at meetup.com
>> 632 Broadway, New York, NY 10012 USA
>>
>> _______________________________________________
>> Owasp-singapore mailing list
>> Owasp-singapore at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-singapore
>>
>>
>>     
>
>
>
> --
> View my IT blog at http://fooksheng.blogspot.com/
> _______________________________________________
> Owasp-singapore mailing list
> Owasp-singapore at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-singapore
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/owasp-singapore/attachments/20090715/f38ee27b/attachment-0001.html 


More information about the Owasp-singapore mailing list