Forwarded from: security curmudgeon <jericho@private> : http://news.com.com/2100-7355-5141765.html : : By Robert Lemos : Staff Writer, CNET News.com : January 15, 2004 : : Two years after Chairman Bill Gates called on Microsoft to redouble : its efforts to secure its software, the company is beginning to make : progress, according to customers--but much work remains. : Six months after the release of the Windows 2000 operating system, : Microsoft had warned of system flaws in 32 security advisories; 21 : vulnerabilities were gauged to be critical. Yet six months after : Microsoft released Windows Server 2003, the successor to Windows 2000, : after extensive code reviews, the number of flaws had shrunk to 14, with : only 6 critical issues. : : "Customers are better off today than they were a year ago, and they will : be even better off in the future," said Kevin Kean, a group manager at : Microsoft's Security Response Center. Windows security patches are now released once a month. Microsoft has a long history of silenty fixing major security flaws in patches. We update to protect against A, B and C that made news. That same update protects us from X, Y and Z that were just as dangerous, but escaped attention. The numbers (32/21 vs 14/6) mean absolutely nothing. : Microsoft does make patches available more quickly than in previous : years, said Mitchell Rubin, president of Lynx Consulting Group in Why do I think this quote came before Microsoft opted to move to a once-a-month patch model? : Rather than releasing advisories every two or three weeks, the company : now publishes the notifications once a month. It has also turned up the : pressure on the underground programmers that create worms and viruses by : offering a bounty on the people or groups who released the Sobig.F virus : and the MSBlast worm. .. a bounty that has yielded 0 arrests? 0 virus writer captures? 0 payouts? : Moreover, some of the bug finders that have been the bane of Microsoft's : public image for years are starting to take a softer stance toward the : company, encouraged by greater cooperation from the company's security : groups. : : "They are acting more responsibly," said Thor Larholm, a senior security : researcher for security firm PivX Solutions and a frequent finder of : bugs in Microsoft's products. "The have lived up to the spirit of : Trustworthy Computing, even if they still have problems." http://www.pivx.com/clients.html GMAC || BOEING || Microsoft || University of California I like Mr. Larholm and really appreciate the work he and PivX have done in the past, but how can anyone take these comments seriously when Microsoft pays them? - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Jan 19 2004 - 03:00:02 PST