Re: Microsoft upgrades IE flaw to critical after criticism

[InfoSec News <isn () c4i org>]

Forwarded from: Russell Coker <russell () coker com au>

On Mon, 16 Dec 2002 12:17, InfoSec News wrote:
> Forwarded from: Mark A. Simos <MSimos () POBox com>
> Cc: myemailaccount () fastmail fm
>
> The attacks on Microsoft's security are getting repetitious and
> counter-productive. There are plenty of flaws in many open source
> products that could be listed and lambasted on a list such as this.

The security problems in Open Source programs are not hidden or down-played.  
They are fixed as rapidly as possible.

Also Open Source software is much easier to fix.
"apt-get update ; apt-get dist-upgrade" is much easier than the process of 
applying fixes for MS operating systems.

> IMHO, the attacks have worked and should be put aside until it is
> obvious they are needed again.

What do you mean by this?  Are you referring to the fact that it is
necessary to exploit security holes in commercial products to get the
vendor to fix them?

> The company shutdown production for 2 months and forced every
> developer to review every line of code.

For that to be true they would need to be very inefficient programmers
or very efficient auditors.

Auditing code for security holes and fixing them is very difficult
work.  I simply don't believe that they are capable of auditing all
the code in that time.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.