RE: [ISN] Microsoft upgrades IE flaw to critical after criticism

From: InfoSec News (isnat_private)
Date: Wed Dec 18 2002 - 01:46:30 PST

  • Next message: InfoSec News: "[ISN] DOD, wireless LAN industry debate 802.11a standard"

    Forwarded from: Jason Scott <jscottat_private>
    
    On Tue, 17 Dec 2002, InfoSec News wrote:
    
    > > Forwarded from: Mark A. Simos <MSimosat_private>
    > > Cc: myemailaccountat_private
    > > 
    > > The attacks on Microsoft's security are getting repetitious and
    > > counter-productive. There are plenty of flaws in many open source
    > > products that could be listed and lambasted on a list such as this.
    
    Excellent, then. While we continue to point out the flaws and possibly
    intentional oversights in Microsoft's security, and how EVERY SINGLE
    E-MAIL BOURNE VIRUS can credit Microsoft's Products with working,
    let's aim our sights on Open Source, too. There's really room for
    everyone in security discussions; that's the nice nature of human
    conversation.
    
    However, the cool part about open sourced products is how pretty much
    everyone can look at the code, and maybe sugest a fix, or at least rip
    stuff out if they don't like what's going on. Not so with Microsoft
    products, were we have to hope daddy gets home from India or whereever
    you're trying to dominate next to throw a few patches our way.
    
    > > IMHO, the attacks have worked and should be put aside until it is
    > > obvious they are needed again. The company shutdown production for 2
    > > months and forced every developer to review every line of code. That
    > > is a pretty serious commitment for a profit driven corporation. The
    > > versions of the software most directly affected have not even been
    > > released in production yet.
    
    It's only a serious commitment when it actually works. As of now, it's
    not worked. Excellent, fine, it's all in the pipeline and if we just
    wait patiently, the new secure stuff will be there, we promise, sorry
    about the attacks and the flaws before then.
    
    We've already seen some excellent approaches by Microsoft in the past
    year, i.e. "Don't trust anything signed by Microsoft" and "Well,
    anything before XP is completely insecure and so don't use it." I'm
    sure we can look forward to further cutting edge solutions like "Well,
    if you'd only signed up for our subscription service you would
    actually get patches for Outlook instead of thinking you bought a
    product and it should work, you silly gits."
    
    > > How would you motivate a large number of home-users to patch
    > > affected systems? RedHat et al currently still have the mixed
    > > blessing of not having a large install base of unmanaged home PCs.
    > > RedHat will face the exact same problem if/when it gains marketshare
    > > in that area. then what? do they remotely as redhat root account
    > > force people to patch? do they coax, cajole and try to sell patching
    > > to end users?
    
    Redhat will not entirely face the same problem, because everything Red
    Hat does could be augmented by third parties, i.e. someone can, under
    the Open Source system, produce a nice little business offering an
    automatic download service or what have you. Solutions, solutions.
    With Microsoft, well, we all better rest easy and hope you get
    everything working, because it's not like we can check out what's
    going on over at SuSE Microsoft or Mandrake Microsoft and make our
    lives a little easier.
    
    > > Full Disclosure: I work for the evil empire, get over it.
    
    Part of the downfall of life have been people who work for companies
    but don't want to reap the pain of working for the company, just the
    pleasure.  I've had glorious "discussions" with telemarketers and
    store clerks along this line, and would welcome one with you. Keep
    astroturfing, suit.
    
    > > FYI, I mean nothing special about redhat specifically, they are just
    > > the most popular MS alternative in the US
    
    I'd suggest not using "MS Alternative" like there is one right now. If
    Linux was as scary as you've started making it out to be, you'd be
    suing everybody and everything.
    
    In fact, I think that's how 2003 is going to go.
    
    Full Disclosure: I use XP, as a front end to 6 networked FreeBSD boxes
    via samba, and they don't give that rabid dog write access.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 11:38:00 PST