Re: [ISN] Microsoft upgrades IE flaw to critical after criticism

From: InfoSec News (isnat_private)
Date: Fri Dec 20 2002 - 02:06:39 PST

  • Next message: InfoSec News: "[ISN] Hooray for TIA"

    Forwarded from: Aj Effin Reznor <ajat_private>
    [Last one on this topic...  - WK]
    Yes, the Return of the Glib One...
    "InfoSec News was known to say....."
    > The attacks on Microsoft's security are getting repetitious and
    > counter-productive. There are plenty of flaws in many open source
    > products that could be listed and lambasted on a list such as this.
    Counter-productive, *how* ?  Is that to say that people are tired of
    hearing that the sky is falling, or that MS is getting tired of it?
    > IMHO, the attacks have worked and should be put aside until it is
    > obvious they are needed again. The company shutdown production for 2
    > months and forced every developer to review every line of code. That
    > is a pretty serious commitment for a profit driven corporation. The
    > versions of the software most directly affected have not even been
    > released in production yet.
    The media reported that coders were taken offline and taught how to
    "code securely".  In an age when "good code" is code that is tweaked
    until the compiler no longer throws errors, security is clearly a long
    way off.
    If MS did indeed shut down for 2 months, as you claim, then perhaps 4
    months, or 6, or 8 would be yielding something we could see.
    Sure, a lot of what we have here are "legacy" items, but you'd think
    that a 2 month code audit would have found all (if not most) of the
    problems and resulted in some fat hotfixes/SPs to correct them all,
    rather than having, say, an exploitable image format (PNG anyone?)
    *still* present.  What good did this 2 month downtime do, other than
    server PR ?
    > How would you motivate a large number of home-users to patch
    > affected systems? RedHat et al currently still have the mixed
    > blessing of not having a large install base of unmanaged home PCs.
    > RedHat will face the exact same problem if/when it gains marketshare
    > in that area. then what? do they remotely as redhat root account
    > force people to patch? do they coax, cajole and try to sell patching
    > to end users?
    What's MS doing?  Denying that problems are serious, so much as
    telling users practically that the patches aren't really needed
    because "that vulnerability is entirely theoretical" ?
    > Full Disclosure: I work for the evil empire, get over it.
    Over it?  It's your soul, not mine...
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Dec 20 2002 - 20:08:05 PST