RE: [ISN] Microsoft upgrades IE flaw to critical after criticism

From: InfoSec News (isnat_private)
Date: Tue Dec 17 2002 - 03:25:04 PST

  • Next message: InfoSec News: "[ISN] Linux Security Week - December 16th 2002"

    Forwarded from: "Bill Scherr IV, GSEC, CGIA" <bschnzlat_private>
    I think we can all agree that for most IT workers, Microsoft related
    issues top the list of answered calls.  Even without that fact,
    processors with full keyboard input devices running microsoft software
    do outnumber those that don't.  The primary users of the overwhelming
    majority of the machines running microsoft software expect the machine
    to run without regular maintenance or monitoring.  Any dissenters?
    Let's step back in time for a moment.  Pretend that you are designing
    complete digital communications system from scratch.  Would you really
    give the more complex machines to all of your users?  Would you
    propose that all users use that same Byzantine system?  Would you
    stipulate that owners and operators of those systems be denied
    detailed information on the system's inner workings?  OK, the
    engineers really don't have a say in all this.  The answers to the
    above questions highlight why it is important to spread vulnerability,
    if not all internal information as far and wide and detailed as
    possible.  We are literally flying blind.
    Unless we relentlessly echo the issues of this complex, monolithic,
    secret, ubiquitous system we have deployed, we have no hope of
    alerting everyone.  I am not saying we should take out advertisements,
    or get it on the Evening News Shows.  THAT would be counterproductive.  
    But this list, of all lists, is one place for repeating issues with
    this system that was built without consulting the engineers
    Now, it is apparent that issuing patches is not working.  The model is
    not likely to work for any software suite.  Albert Einstein said "The
    problems that exist in the world today cannot be solved by the level
    of thinking that created them."  We must adjust the paradigm.
    The direction of the shift will not be solved here.  IMHO, we have a
    standards bodies, and they need more teeth.  Either way, I believe the
    shift is already occuring.  My $0.02
    Mark, I applaud your full disclosure.  I do not believe I have
    anything so pertininent to this issue to disclose!
    On 16 Dec 2002 at 5:17, InfoSec News wrote:
    > Forwarded from: Mark A. Simos <MSimosat_private>
    > Cc: myemailaccountat_private
    > The attacks on Microsoft's security are getting repetitious and
    > counter-productive. There are plenty of flaws in many open source
    > products that could be listed and lambasted on a list such as this.
    > IMHO, the attacks have worked and should be put aside until it is
    > obvious they are needed again. The company shutdown production for 2
    > months and forced every developer to review every line of code. That
    > is a pretty serious commitment for a profit driven corporation. The
    > versions of the software most directly affected have not even been
    > released in production yet.
    > How would you motivate a large number of home-users to patch
    > affected systems? RedHat et al currently still have the mixed
    > blessing of not having a large install base of unmanaged home PCs.
    > RedHat will face the exact same problem if/when it gains marketshare
    > in that area. then what? do they remotely as redhat root account
    > force people to patch? do they coax, cajole and try to sell patching
    > to end users?
    > Full Disclosure: I work for the evil empire, get over it.
    > FYI, I mean nothing special about redhat specifically, they are just
    > the most popular MS alternative in the US
    Bill Scherr IV, GSEC, GCIA
    Electronic Warfare Associates / IIT
    Lafayette RTI, Camp Johnson
    Colchester, VT 05446
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 13:12:58 PST