News from PANUG/BizNix - August 13, 2002
http://panug.org - http://biznix.org


NEXT MEETING
PANUG's monthly meeting is this Thursday. Details on the
presentations will be announced tomorrow.


IE SECURITY HOLE
by Gregg Berkholtz

The frequent security issues with Internet Explorer cause many of us
to ignore them. However, this one warrants special notice. Recently,
there was a serious flaw discovered in how IE implements the SSL
protocol, rendering SSL support in IE almost useless. Any data being
handled in an SSL session can be intercepted and/or modified and
copied in its unencrypted/plaintext form.

The problem exists in IE 5 and newer and may be in older versions as
well, but they haven't been tested. Microsoft has known about this
issue for over a week and has still failed to acknowledge or resolve
it:

http://www.thoughtcrime.org/ie-ssl-chain.txt

http://online.securityfocus.com/archive/1/286893/2002-08-05/2002-08-11/1

Until this is resolved and the patch applied to your computer(s), it
would be wise to use another web browser if you need to use SSL-enabled
Web sites. Web browsers that don't appear to be vulnerable include
Mozilla 1.0 or 1.1beta (www.mozilla.org), and the Opera browser
(www.opera.com). These run on Windows, Linux, and other operating
systems.
 
A good source of information regarding unpatched IE vulnerabilities
(currently 22 unpatched vulnerabilities exist):

http://www.pivx.com/larholm/unpatched/

This SSL vulnerability also affects the KDE/Konqueror browser as well,
but a patch has already been written and integrated into the Konqueror
development code (it took about 95 minutes from the time the KDE team
was made aware of the issue, to actually having the patch available).
Binary patches for the production release are due out shortly. Of
course, since you have access to the source code for Konqueror, you
are free to build/compile your own binaries instead of waiting.
 

ERRATA

Yesterday's broadcast contained a bad URL. The correct URL is this:
http://www.theregus.com/content/4/25943.html


HUMOR
Submittd by Christian Bayer

Q> How many Technical Support people does it take to change a
   light bulb?
A> We have an exact copy of the light bulb here and it seems to
   be working fine. Can you tell me what kind of system you have?
   OK. Just exactly how dark is it? OK. There could be four or
   five things involved. Have you tried the light switch?

Q> How many beta testers does it take to change a light bulb?
A> We just find problems. We don't fix them.

Q> How many developers does it take to change a light bulb?
A> The light bulb works fine on the system in my office.

Q> How many software engineers does it take to change a light bulb?
A> That's a hardware problem.

Q> How many hardware engineers does it take to change a light bulb?
A> Tell software to code around it!

Q> How many programmers does it take to change a light bulb?
A> Two, one always quits in the middle of the project.

Q> How many C++ programmers does it take to change a light bulb?
A> You are still thinking procedurally. A properly designed light
   bulb object would inherit a change method from a generic light
   bulb class, so all you'd have to do is send it a bulb change
   message.