[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ISN] Microsoft upgrades IE flaw to critical after criticism

Forwarded from: Aj Effin Reznor <aj@xxxxxxxxxx>

[Last one on this topic...  - WK]

Yes, the Return of the Glib One...

"InfoSec News was known to say....."

> The attacks on Microsoft's security are getting repetitious and
> counter-productive. There are plenty of flaws in many open source
> products that could be listed and lambasted on a list such as this.

Counter-productive, *how* ?  Is that to say that people are tired of
hearing that the sky is falling, or that MS is getting tired of it?

> IMHO, the attacks have worked and should be put aside until it is
> obvious they are needed again. The company shutdown production for 2
> months and forced every developer to review every line of code. That
> is a pretty serious commitment for a profit driven corporation. The
> versions of the software most directly affected have not even been
> released in production yet.

The media reported that coders were taken offline and taught how to
"code securely".  In an age when "good code" is code that is tweaked
until the compiler no longer throws errors, security is clearly a long
way off.

If MS did indeed shut down for 2 months, as you claim, then perhaps 4
months, or 6, or 8 would be yielding something we could see.

Sure, a lot of what we have here are "legacy" items, but you'd think
that a 2 month code audit would have found all (if not most) of the
problems and resulted in some fat hotfixes/SPs to correct them all,
rather than having, say, an exploitable image format (PNG anyone?)
*still* present.  What good did this 2 month downtime do, other than
server PR ?

> How would you motivate a large number of home-users to patch
> affected systems? RedHat et al currently still have the mixed
> blessing of not having a large install base of unmanaged home PCs.
> RedHat will face the exact same problem if/when it gains marketshare
> in that area. then what? do they remotely as redhat root account
> force people to patch? do they coax, cajole and try to sell patching
> to end users?

What's MS doing?  Denying that problems are serious, so much as
telling users practically that the patches aren't really needed
because "that vulnerability is entirely theoretical" ?

> Full Disclosure: I work for the evil empire, get over it.

Over it?  It's your soul, not mine...



ISN is currently hosted by Attrition.org

To unsubscribe email majordomo@xxxxxxxxxxxxx with 'unsubscribe isn'
in the BODY of the mail.