«

http://computerworld.co.nz/news.nsf/...25713F00172749

'With Microsoft saying that it may wait until April 11 to patch a critical
vulnerability in its Internet Explorer browser, security vendor eEye
Digital Security has released what it calls a "temporary" patch to address
the problem.
The bug, which concerns the way IE processes web pages using the
createTextRange() method, is now being exploited by attackers on hundreds
of malicious web sites. Users who might be tricked into visiting these web
sites could have unauthorised software installed on their computers,
security experts warn.'

Yeah, that's definitely a sign of a company that's committed to security.
NOT!

--
Matthew Poole
"Don't use force. Get a bigger hammer."

"Matthew Poole" <> wrote in message
news...
> http://computerworld.co.nz/news.nsf/...25713F00172749
>
> 'With Microsoft saying that it may wait until April 11 to patch a
> critical
> vulnerability in its Internet Explorer browser, security vendor eEye
> Digital Security has released what it calls a "temporary" patch to
> address
> the problem.
> The bug, which concerns the way IE processes web pages using the
> createTextRange() method, is now being exploited by attackers on
> hundreds
> of malicious web sites. Users who might be tricked into visiting
> these web
> sites could have unauthorised software installed on their computers,
> security experts warn.'
>
> Yeah, that's definitely a sign of a company that's committed to
> security.
> NOT!
>
> --

I realize your post was mainly intended to bash Microsoft, but...

This trend for private security companies to voluntarily patch the
security holes that Microsoft discloses is interesting. Leaving aside
the wisdom of generating code-fixes in such an ad hoc way -- which I
have doubts about -- it kind of takes the bite out of the argument
that open-source is the only way to get things done, don't you think?

Windows utlities, Windows applications, Windows addons...now Windows
OS patches. Seems like there's a market for everything
Windows-related, and that there are developers aplenty willing to help
plug any and all the gaps. Would you perhaps concede then that
proprietary software may not be quite the obstacle to innovation that
you thought it was?

Btw -- the last time someone posted an article speculating that MS
would wait until such-and-such a date to post their own offical patch,
they were proven wrong almost instantly. Personally, I'm more
concerned that the official patch gets done right than done first. But
for those keeping score, I'd look for something more in a matter of a
few days than two weeks.

On Wed, 29 Mar 2006 07:23:30 +1200, Matthew Poole wrote:

> Yeah, that's definitely a sign of a company that's committed to security.
> NOT!

But Micro$oft *IS* committed to security - security of it's revenue stream.

Why else has Micro$oft changed it's historic practise and anounced a
publically available bugtracker for (only) M$IE that requires "passport"
authorisation?


Have A Nice Cup of Tea

--
"Vista - I wouldn't buy it with someone else's money. Then again What do I
know, I've only been testing the dog for the last 2-3 yrs..."

On Tue, 28 Mar 2006 16:36:33 -0500, someone purporting to be impossible
didst scrawl:

> "Matthew Poole" <> wrote in message
> news...
*SNIP*
> Windows utlities, Windows applications, Windows addons...now Windows
> OS patches. Seems like there's a market for everything
> Windows-related, and that there are developers aplenty willing to help
> plug any and all the gaps. Would you perhaps concede then that
> proprietary software may not be quite the obstacle to innovation that
> you thought it was?
>
The difference is that with OSS the patches are "official". They get
released through official channels, and they don't remove themselves once
a "real official" patch gets released by the vendor.
Also, this patch quite likely required violation of the MS EULA condition
prohibiting reverse-engineering their software. If MS were so inclined
they could try and have eEye done in court for violation of the contract
regarding the use of IE - it would probably fail, but it's a possibility.
OSS places no such restrictions on the end-users.

> Btw -- the last time someone posted an article speculating that MS
> would wait until such-and-such a date to post their own offical patch,
> they were proven wrong almost instantly. Personally, I'm more
> concerned that the official patch gets done right than done first. But
> for those keeping score, I'd look for something more in a matter of a
> few days than two weeks.

When MS themselves are implying that it will be a while before the patch
is released, it's not really idle speculation. You're right, though, that
weeks is entirely unacceptable for a bug that is rated highly critical and
is being actively exploited.

--
Matthew Poole
"Don't use force. Get a bigger hammer."

Matthew Poole wrote:

> http://computerworld.co.nz/news.nsf/...25713F00172749
>
> 'With Microsoft saying that it may wait until April 11 to patch a critical
> vulnerability in its Internet Explorer browser, security vendor eEye
> Digital Security has released what it calls a "temporary" patch to address
> the problem.
> The bug, which concerns the way IE processes web pages using the
> createTextRange() method, is now being exploited by attackers on hundreds
> of malicious web sites. Users who might be tricked into visiting these web
> sites could have unauthorised software installed on their computers,
> security experts warn.'
>
> Yeah, that's definitely a sign of a company that's committed to security.
> NOT!

Surely the most responsible position would be for Microsoft to recommend
using another browser until their browser is fixed?

Shouldn't security companies do the same?

Allistar.

"Matthew Poole" <> wrote in message
news...
> On Tue, 28 Mar 2006 16:36:33 -0500, someone purporting to be
> impossible
> didst scrawl:
>
>> "Matthew Poole" <> wrote in message
>> news...
> *SNIP*

Please refrain from selectively snipping posts. Either discuss a point
in its original context or don't discuss it all.

On Wed, 29 Mar 2006 00:06:01 -0500, someone purporting to be impossible
didst scrawl:

> "Matthew Poole" <> wrote in message
> news...
>>> "Matthew Poole" <> wrote in message
>>> news...
>> *SNIP*
>
> Please refrain from selectively snipping posts. Either discuss a point
> in its original context or don't discuss it all.

GFPATM! I will not have anyone tell me how to snip, or not as the case may
be. If you have a problem with that, feel free to not respond to my posts.
I intensely dislike lazy quoting, so anything that I don't consider
necessary to the point I'm discussing is fair game.

--
Matthew Poole
"Don't use force. Get a bigger hammer."

On Wed, 29 Mar 2006 12:05:56 +1200, someone purporting to be Allistar
didst scrawl:

> Matthew Poole wrote:
*SNIP*
> Surely the most responsible position would be for Microsoft to recommend
> using another browser until their browser is fixed?
>
Probably. But we all know that that won't happen. They will advise people
to keep their anti-virus software updated (which hasn't protected at least
some of the victims), disable active scripting (which isn't always
possible), and pray for a patch.

> Shouldn't security companies do the same?
>
SANS, at the very least, have done exactly that. Their recommendation is
to use an alternative except where absolutely necessary. This isn't the
first time that an organisation has advised against using IE, and I doubt
it will be the last.

--
Matthew Poole
"Don't use force. Get a bigger hammer."

"Matthew Poole" <> wrote in message
news...
> On Wed, 29 Mar 2006 00:06:01 -0500, someone purporting to be
> impossible
> didst scrawl:
>
>> "Matthew Poole" <> wrote in message
>> news...
>>>> "Matthew Poole" <> wrote in message
>>>> news...
>>> *SNIP*
>>
>> Please refrain from selectively snipping posts. Either discuss a
>> point
>> in its original context or don't discuss it all.
>
> GFPATM! I will not have anyone tell me how to snip, or not as the
> case may
> be. If you have a problem with that, feel free to not respond to my
> posts.
> I intensely dislike lazy quoting, so anything that I don't consider
> necessary to the point I'm discussing is fair game.
>

Selective quoting is misquoting. People tend to do that when they want
to score a point but can't really think of anything intelligent to say
in reply. How lazy is that?!!

impossible wrote:
> Windows utlities, Windows applications, Windows addons...now Windows
> OS patches. Seems like there's a market for everything
> Windows-related, and that there are developers aplenty willing to help
> plug any and all the gaps. Would you perhaps concede then that
> proprietary software may not be quite the obstacle to innovation that
> you thought it was?

Actually, it better illustrates that a cooperative diverse approach,
combining a multiplicity of contributions from different parties delivers
greater potency, creativity and innovation than the central monopoly
control model.
This applies all over human endeavour, not just to software.



Peter