RE: Microsoft upgrades IE flaw to critical after criticism

[InfoSec News <isn () c4i org>]

Forwarded from: Jason Scott <jscott () textfiles com>

On Tue, 17 Dec 2002, InfoSec News wrote:

> > Forwarded from: Mark A. Simos <MSimos () POBox com>
> > Cc: myemailaccount () fastmail fm
> >
> > The attacks on Microsoft's security are getting repetitious and
> > counter-productive. There are plenty of flaws in many open source
> > products that could be listed and lambasted on a list such as this.

Excellent, then. While we continue to point out the flaws and possibly
intentional oversights in Microsoft's security, and how EVERY SINGLE
E-MAIL BOURNE VIRUS can credit Microsoft's Products with working,
let's aim our sights on Open Source, too. There's really room for
everyone in security discussions; that's the nice nature of human
conversation.

However, the cool part about open sourced products is how pretty much
everyone can look at the code, and maybe sugest a fix, or at least rip
stuff out if they don't like what's going on. Not so with Microsoft
products, were we have to hope daddy gets home from India or whereever
you're trying to dominate next to throw a few patches our way.

> > IMHO, the attacks have worked and should be put aside until it is
> > obvious they are needed again. The company shutdown production for 2
> > months and forced every developer to review every line of code. That
> > is a pretty serious commitment for a profit driven corporation. The
> > versions of the software most directly affected have not even been
> > released in production yet.

It's only a serious commitment when it actually works. As of now, it's
not worked. Excellent, fine, it's all in the pipeline and if we just
wait patiently, the new secure stuff will be there, we promise, sorry
about the attacks and the flaws before then.

We've already seen some excellent approaches by Microsoft in the past
year, i.e. "Don't trust anything signed by Microsoft" and "Well,
anything before XP is completely insecure and so don't use it." I'm
sure we can look forward to further cutting edge solutions like "Well,
if you'd only signed up for our subscription service you would
actually get patches for Outlook instead of thinking you bought a
product and it should work, you silly gits."

> > How would you motivate a large number of home-users to patch
> > affected systems? RedHat et al currently still have the mixed
> > blessing of not having a large install base of unmanaged home PCs.
> > RedHat will face the exact same problem if/when it gains marketshare
> > in that area. then what? do they remotely as redhat root account
> > force people to patch? do they coax, cajole and try to sell patching
> > to end users?

Redhat will not entirely face the same problem, because everything Red
Hat does could be augmented by third parties, i.e. someone can, under
the Open Source system, produce a nice little business offering an
automatic download service or what have you. Solutions, solutions.
With Microsoft, well, we all better rest easy and hope you get
everything working, because it's not like we can check out what's
going on over at SuSE Microsoft or Mandrake Microsoft and make our
lives a little easier.

> > Full Disclosure: I work for the evil empire, get over it.

Part of the downfall of life have been people who work for companies
but don't want to reap the pain of working for the company, just the
pleasure.  I've had glorious "discussions" with telemarketers and
store clerks along this line, and would welcome one with you. Keep
astroturfing, suit.

> > FYI, I mean nothing special about redhat specifically, they are just
> > the most popular MS alternative in the US

I'd suggest not using "MS Alternative" like there is one right now. If
Linux was as scary as you've started making it out to be, you'd be
suing everybody and everything.

In fact, I think that's how 2003 is going to go.

Full Disclosure: I use XP, as a front end to 6 networked FreeBSD boxes
via samba, and they don't give that rabid dog write access.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.