RE: Microsoft upgrades IE flaw to critical after criticism

[InfoSec News <isn () c4i org>]

Forwarded from: "Bill Scherr IV, GSEC, CGIA" <bschnzl () bigfoot com>

Folks

I think we can all agree that for most IT workers, Microsoft related
issues top the list of answered calls.  Even without that fact,
processors with full keyboard input devices running microsoft software
do outnumber those that don't.  The primary users of the overwhelming
majority of the machines running microsoft software expect the machine
to run without regular maintenance or monitoring.  Any dissenters?

Let's step back in time for a moment.  Pretend that you are designing
complete digital communications system from scratch.  Would you really
give the more complex machines to all of your users?  Would you
propose that all users use that same Byzantine system?  Would you
stipulate that owners and operators of those systems be denied
detailed information on the system's inner workings?  OK, the
engineers really don't have a say in all this.  The answers to the
above questions highlight why it is important to spread vulnerability,
if not all internal information as far and wide and detailed as
possible.  We are literally flying blind.

Unless we relentlessly echo the issues of this complex, monolithic,
secret, ubiquitous system we have deployed, we have no hope of
alerting everyone.  I am not saying we should take out advertisements,
or get it on the Evening News Shows.  THAT would be counterproductive.  
But this list, of all lists, is one place for repeating issues with
this system that was built without consulting the engineers

Now, it is apparent that issuing patches is not working.  The model is
not likely to work for any software suite.  Albert Einstein said "The
problems that exist in the world today cannot be solved by the level
of thinking that created them."  We must adjust the paradigm.

The direction of the shift will not be solved here.  IMHO, we have a
standards bodies, and they need more teeth.  Either way, I believe the
shift is already occuring.  My $0.02

Mark, I applaud your full disclosure.  I do not believe I have
anything so pertininent to this issue to disclose!

On 16 Dec 2002 at 5:17, InfoSec News wrote:

> Forwarded from: Mark A. Simos <MSimos () POBox com>
> Cc: myemailaccount () fastmail fm
>
> The attacks on Microsoft's security are getting repetitious and
> counter-productive. There are plenty of flaws in many open source
> products that could be listed and lambasted on a list such as this.
>
> IMHO, the attacks have worked and should be put aside until it is
> obvious they are needed again. The company shutdown production for 2
> months and forced every developer to review every line of code. That
> is a pretty serious commitment for a profit driven corporation. The
> versions of the software most directly affected have not even been
> released in production yet.
>
> How would you motivate a large number of home-users to patch
> affected systems? RedHat et al currently still have the mixed
> blessing of not having a large install base of unmanaged home PCs.
> RedHat will face the exact same problem if/when it gains marketshare
> in that area. then what? do they remotely as redhat root account
> force people to patch? do they coax, cajole and try to sell patching
> to end users?
>
> Full Disclosure: I work for the evil empire, get over it.
>
> FYI, I mean nothing special about redhat specifically, they are just
> the most popular MS alternative in the US


Bill Scherr IV, GSEC, GCIA
Electronic Warfare Associates / IIT
Lafayette RTI, Camp Johnson
Colchester, VT 05446
802-338-3213



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.