Information Security News mailing list archives

Re: Microsoft upgrades IE flaw to critical after criticism


From: InfoSec News <isn () c4i org>
Date: Fri, 20 Dec 2002 04:06:39 -0600 (CST)

Forwarded from: Aj Effin Reznor <aj () reznor com>

[Last one on this topic...  - WK]

Yes, the Return of the Glib One...

"InfoSec News was known to say....."

The attacks on Microsoft's security are getting repetitious and
counter-productive. There are plenty of flaws in many open source
products that could be listed and lambasted on a list such as this.

Counter-productive, *how* ?  Is that to say that people are tired of
hearing that the sky is falling, or that MS is getting tired of it?

 
IMHO, the attacks have worked and should be put aside until it is
obvious they are needed again. The company shutdown production for 2
months and forced every developer to review every line of code. That
is a pretty serious commitment for a profit driven corporation. The
versions of the software most directly affected have not even been
released in production yet.

The media reported that coders were taken offline and taught how to
"code securely".  In an age when "good code" is code that is tweaked
until the compiler no longer throws errors, security is clearly a long
way off.

If MS did indeed shut down for 2 months, as you claim, then perhaps 4
months, or 6, or 8 would be yielding something we could see.

Sure, a lot of what we have here are "legacy" items, but you'd think
that a 2 month code audit would have found all (if not most) of the
problems and resulted in some fat hotfixes/SPs to correct them all,
rather than having, say, an exploitable image format (PNG anyone?)
*still* present.  What good did this 2 month downtime do, other than
server PR ?

 
How would you motivate a large number of home-users to patch
affected systems? RedHat et al currently still have the mixed
blessing of not having a large install base of unmanaged home PCs.
RedHat will face the exact same problem if/when it gains marketshare
in that area. then what? do they remotely as redhat root account
force people to patch? do they coax, cajole and try to sell patching
to end users?

What's MS doing?  Denying that problems are serious, so much as
telling users practically that the patches aren't really needed
because "that vulnerability is entirely theoretical" ?

 
Full Disclosure: I work for the evil empire, get over it.

Over it?  It's your soul, not mine...

 
DOH!


-aj.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.


Current thread: