Once again Microsoft demonstrates its committment to security

Discussion in 'NZ Computing' started by Matthew Poole, Mar 28, 2006.

  1. http://computerworld.co.nz/news.nsf/NL/63C41A193FC40C05CC25713F00172749

    'With Microsoft saying that it may wait until April 11 to patch a critical
    vulnerability in its Internet Explorer browser, security vendor eEye
    Digital Security has released what it calls a "temporary" patch to address
    the problem.
    The bug, which concerns the way IE processes web pages using the
    createTextRange() method, is now being exploited by attackers on hundreds
    of malicious web sites. Users who might be tricked into visiting these web
    sites could have unauthorised software installed on their computers,
    security experts warn.'

    Yeah, that's definitely a sign of a company that's committed to security.
    NOT!

    --
    Matthew Poole
    "Don't use force. Get a bigger hammer."
     
    Matthew Poole, Mar 28, 2006
    #1
    1. Advertising

  2. Matthew Poole

    impossible Guest

    "Matthew Poole" <> wrote in message
    news:p...
    > http://computerworld.co.nz/news.nsf/NL/63C41A193FC40C05CC25713F00172749
    >
    > 'With Microsoft saying that it may wait until April 11 to patch a
    > critical
    > vulnerability in its Internet Explorer browser, security vendor eEye
    > Digital Security has released what it calls a "temporary" patch to
    > address
    > the problem.
    > The bug, which concerns the way IE processes web pages using the
    > createTextRange() method, is now being exploited by attackers on
    > hundreds
    > of malicious web sites. Users who might be tricked into visiting
    > these web
    > sites could have unauthorised software installed on their computers,
    > security experts warn.'
    >
    > Yeah, that's definitely a sign of a company that's committed to
    > security.
    > NOT!
    >
    > --


    I realize your post was mainly intended to bash Microsoft, but...

    This trend for private security companies to voluntarily patch the
    security holes that Microsoft discloses is interesting. Leaving aside
    the wisdom of generating code-fixes in such an ad hoc way -- which I
    have doubts about -- it kind of takes the bite out of the argument
    that open-source is the only way to get things done, don't you think?

    Windows utlities, Windows applications, Windows addons...now Windows
    OS patches. Seems like there's a market for everything
    Windows-related, and that there are developers aplenty willing to help
    plug any and all the gaps. Would you perhaps concede then that
    proprietary software may not be quite the obstacle to innovation that
    you thought it was?

    Btw -- the last time someone posted an article speculating that MS
    would wait until such-and-such a date to post their own offical patch,
    they were proven wrong almost instantly. Personally, I'm more
    concerned that the official patch gets done right than done first. But
    for those keeping score, I'd look for something more in a matter of a
    few days than two weeks.
     
    impossible, Mar 28, 2006
    #2
    1. Advertising

  3. On Wed, 29 Mar 2006 07:23:30 +1200, Matthew Poole wrote:

    > Yeah, that's definitely a sign of a company that's committed to security.
    > NOT!


    But Micro$oft *IS* committed to security - security of it's revenue stream.

    Why else has Micro$oft changed it's historic practise and anounced a
    publically available bugtracker for (only) M$IE that requires "passport"
    authorisation?


    Have A Nice Cup of Tea

    --
    "Vista - I wouldn't buy it with someone else's money. Then again What do I
    know, I've only been testing the dog for the last 2-3 yrs..."
     
    Have A Nice Cup of Tea, Mar 28, 2006
    #3
  4. On Tue, 28 Mar 2006 16:36:33 -0500, someone purporting to be impossible
    didst scrawl:

    > "Matthew Poole" <> wrote in message
    > news:p...

    *SNIP*
    > Windows utlities, Windows applications, Windows addons...now Windows
    > OS patches. Seems like there's a market for everything
    > Windows-related, and that there are developers aplenty willing to help
    > plug any and all the gaps. Would you perhaps concede then that
    > proprietary software may not be quite the obstacle to innovation that
    > you thought it was?
    >

    The difference is that with OSS the patches are "official". They get
    released through official channels, and they don't remove themselves once
    a "real official" patch gets released by the vendor.
    Also, this patch quite likely required violation of the MS EULA condition
    prohibiting reverse-engineering their software. If MS were so inclined
    they could try and have eEye done in court for violation of the contract
    regarding the use of IE - it would probably fail, but it's a possibility.
    OSS places no such restrictions on the end-users.

    > Btw -- the last time someone posted an article speculating that MS
    > would wait until such-and-such a date to post their own offical patch,
    > they were proven wrong almost instantly. Personally, I'm more
    > concerned that the official patch gets done right than done first. But
    > for those keeping score, I'd look for something more in a matter of a
    > few days than two weeks.


    When MS themselves are implying that it will be a while before the patch
    is released, it's not really idle speculation. You're right, though, that
    weeks is entirely unacceptable for a bug that is rated highly critical and
    is being actively exploited.

    --
    Matthew Poole
    "Don't use force. Get a bigger hammer."
     
    Matthew Poole, Mar 28, 2006
    #4
  5. Matthew Poole

    Allistar Guest

    Matthew Poole wrote:

    > http://computerworld.co.nz/news.nsf/NL/63C41A193FC40C05CC25713F00172749
    >
    > 'With Microsoft saying that it may wait until April 11 to patch a critical
    > vulnerability in its Internet Explorer browser, security vendor eEye
    > Digital Security has released what it calls a "temporary" patch to address
    > the problem.
    > The bug, which concerns the way IE processes web pages using the
    > createTextRange() method, is now being exploited by attackers on hundreds
    > of malicious web sites. Users who might be tricked into visiting these web
    > sites could have unauthorised software installed on their computers,
    > security experts warn.'
    >
    > Yeah, that's definitely a sign of a company that's committed to security.
    > NOT!


    Surely the most responsible position would be for Microsoft to recommend
    using another browser until their browser is fixed?

    Shouldn't security companies do the same?

    Allistar.
     
    Allistar, Mar 29, 2006
    #5
  6. Matthew Poole

    impossible Guest

    "Matthew Poole" <> wrote in message
    news:p...
    > On Tue, 28 Mar 2006 16:36:33 -0500, someone purporting to be
    > impossible
    > didst scrawl:
    >
    >> "Matthew Poole" <> wrote in message
    >> news:p...

    > *SNIP*


    Please refrain from selectively snipping posts. Either discuss a point
    in its original context or don't discuss it all.
     
    impossible, Mar 29, 2006
    #6
  7. On Wed, 29 Mar 2006 00:06:01 -0500, someone purporting to be impossible
    didst scrawl:

    > "Matthew Poole" <> wrote in message
    > news:p...
    >>> "Matthew Poole" <> wrote in message
    >>> news:p...

    >> *SNIP*

    >
    > Please refrain from selectively snipping posts. Either discuss a point
    > in its original context or don't discuss it all.


    GFPATM! I will not have anyone tell me how to snip, or not as the case may
    be. If you have a problem with that, feel free to not respond to my posts.
    I intensely dislike lazy quoting, so anything that I don't consider
    necessary to the point I'm discussing is fair game.

    --
    Matthew Poole
    "Don't use force. Get a bigger hammer."
     
    Matthew Poole, Mar 29, 2006
    #7
  8. On Wed, 29 Mar 2006 12:05:56 +1200, someone purporting to be Allistar
    didst scrawl:

    > Matthew Poole wrote:

    *SNIP*
    > Surely the most responsible position would be for Microsoft to recommend
    > using another browser until their browser is fixed?
    >

    Probably. But we all know that that won't happen. They will advise people
    to keep their anti-virus software updated (which hasn't protected at least
    some of the victims), disable active scripting (which isn't always
    possible), and pray for a patch.

    > Shouldn't security companies do the same?
    >

    SANS, at the very least, have done exactly that. Their recommendation is
    to use an alternative except where absolutely necessary. This isn't the
    first time that an organisation has advised against using IE, and I doubt
    it will be the last.

    --
    Matthew Poole
    "Don't use force. Get a bigger hammer."
     
    Matthew Poole, Mar 29, 2006
    #8
  9. Matthew Poole

    impossible Guest

    "Matthew Poole" <> wrote in message
    news:p...
    > On Wed, 29 Mar 2006 00:06:01 -0500, someone purporting to be
    > impossible
    > didst scrawl:
    >
    >> "Matthew Poole" <> wrote in message
    >> news:p...
    >>>> "Matthew Poole" <> wrote in message
    >>>> news:p...
    >>> *SNIP*

    >>
    >> Please refrain from selectively snipping posts. Either discuss a
    >> point
    >> in its original context or don't discuss it all.

    >
    > GFPATM! I will not have anyone tell me how to snip, or not as the
    > case may
    > be. If you have a problem with that, feel free to not respond to my
    > posts.
    > I intensely dislike lazy quoting, so anything that I don't consider
    > necessary to the point I'm discussing is fair game.
    >


    Selective quoting is misquoting. People tend to do that when they want
    to score a point but can't really think of anything intelligent to say
    in reply. How lazy is that?!!
     
    impossible, Mar 29, 2006
    #9
  10. Matthew Poole

    Peter Guest

    impossible wrote:
    > Windows utlities, Windows applications, Windows addons...now Windows
    > OS patches. Seems like there's a market for everything
    > Windows-related, and that there are developers aplenty willing to help
    > plug any and all the gaps. Would you perhaps concede then that
    > proprietary software may not be quite the obstacle to innovation that
    > you thought it was?


    Actually, it better illustrates that a cooperative diverse approach,
    combining a multiplicity of contributions from different parties delivers
    greater potency, creativity and innovation than the central monopoly
    control model.
    This applies all over human endeavour, not just to software.



    Peter
     
    Peter, Mar 29, 2006
    #10
  11. Matthew Poole

    Craig Sutton Guest

    "Matthew Poole" <> wrote in message
    news:p...
    > http://computerworld.co.nz/news.nsf/NL/63C41A193FC40C05CC25713F00172749
    >
    > 'With Microsoft saying that it may wait until April 11 to patch a critical
    > vulnerability in its Internet Explorer browser, security vendor eEye
    > Digital Security has released what it calls a "temporary" patch to address
    > the problem.
    > The bug, which concerns the way IE processes web pages using the
    > createTextRange() method, is now being exploited by attackers on hundreds
    > of malicious web sites. Users who might be tricked into visiting these web
    > sites could have unauthorised software installed on their computers,
    > security experts warn.'
    >
    > Yeah, that's definitely a sign of a company that's committed to security.
    > NOT!


    Should they bring it out April 1st you reckon?
     
    Craig Sutton, Mar 29, 2006
    #11
  12. In article <>, "impossible" <> wrote:
    (snip)
    >Selective quoting is misquoting. People tend to do that when they want
    >to score a point but can't really think of anything intelligent to say
    >in reply. How lazy is that?!!


    Au contraire blackadder. Selective quoting means you don't clutter up what
    you are replying to with screeds of irrelevant crud (and god knows there's
    often a lot of that :) ).

    Much better to cut out all the irrelevant and reply to the one or 2 points
    you want to.


    Bruce

    ----------------------------------------
    I believe you find life such a problem because you think there are the good
    people and the bad people. You're wrong, of course. There are, always and
    only, the bad people, but some of them are on opposite sides.

    Lord Vetinari in Guards ! Guards ! - Terry Pratchett

    Caution ===== followups may have been changed to relevant groups
    (if there were any)
     
    Bruce Sinclair, Mar 30, 2006
    #12
  13. On Thu, 30 Mar 2006 00:17:08 +0000, someone purporting to be Bruce
    Sinclair didst scrawl:

    > In article <>, "impossible" <> wrote:
    > (snip)
    >>Selective quoting is misquoting. People tend to do that when they want
    >>to score a point but can't really think of anything intelligent to say
    >>in reply. How lazy is that?!!

    >
    > Au contraire blackadder. Selective quoting means you don't clutter up what
    > you are replying to with screeds of irrelevant crud (and god knows there's
    > often a lot of that :) ).
    >

    impossible is certainly doing his/her bit for the S:N ratio. A cursory
    examination reveals a 110-line post that contributed six lines, and a
    147-line one that contributed seven. Oh, and there's a 105-line one that
    contributes TWO! I guess that's an improvement on a "Me too" post.

    > Much better to cut out all the irrelevant and reply to the one or 2 points
    > you want to.
    >

    That would require thought, though, Bruce. It's far easier to not snip
    anything and then claim that you're doing it in the name of maintaining
    context for everything you've quoted - and that the quotee quoted, etc etc
    ad nauseum.
    Not that I'm calling impossible lazy, of course, since that would just be
    the pot calling the kettle a darker shade of charcoal :p

    At least they're not a <voice type="stage whisper">top-poster</voice>.

    --
    Matthew Poole
    "Don't use force. Get a bigger hammer."
     
    Matthew Poole, Mar 30, 2006
    #13
  14. Matthew Poole

    impossible Guest

    "Matthew Poole" <> wrote in message
    news:p...
    > On Thu, 30 Mar 2006 00:17:08 +0000, someone purporting to be Bruce
    > Sinclair didst scrawl:
    >
    >> In article <>, "impossible"
    >> <> wrote:
    >> (snip)
    >>>Selective quoting is misquoting. People tend to do that when they
    >>>want
    >>>to score a point but can't really think of anything intelligent to
    >>>say
    >>>in reply. How lazy is that?!!


    <SNIP>

    (and god knows there's often a lot of that :) ).

    <SNIP>

    Couldn't agree more.
     
    impossible, Mar 30, 2006
    #14
  15. Matthew Poole

    impossible Guest

    "Bruce Sinclair" <>
    wrote in message news:9sFWf.9509$...
    > In article <>, "impossible"
    > <> wrote:
    > (snip)
    >>Selective quoting is misquoting. People tend to do that when they
    >>want
    >>to score a point but can't really think of anything intelligent to
    >>say
    >>in reply. How lazy is that?!!

    >

    <SNIP>

    > reply to the one or 2 points you want to.
    >


    Couldn't find a point worth replying to. But thanks all the same.
     
    impossible, Mar 30, 2006
    #15
  16. In article <>, Matthew Poole <> wrote:
    (snip)
    >At least they're not a <voice type="stage whisper">top-poster</voice>.


    LOL :)


    Bruce

    ----------------------------------------
    I believe you find life such a problem because you think there are the good
    people and the bad people. You're wrong, of course. There are, always and
    only, the bad people, but some of them are on opposite sides.

    Lord Vetinari in Guards ! Guards ! - Terry Pratchett

    Caution ===== followups may have been changed to relevant groups
    (if there were any)
     
    Bruce Sinclair, Mar 30, 2006
    #16
  17. In article <>, "impossible" <> wrote:
    >"Matthew Poole" <> wrote in message
    >news:p...
    >> On Thu, 30 Mar 2006 00:17:08 +0000, someone purporting to be Bruce
    >> Sinclair didst scrawl:
    >>> In article <>, "impossible"
    >>> <> wrote:
    >>> (snip)
    >>>>Selective quoting is misquoting. People tend to do that when they
    >>>>want
    >>>>to score a point but can't really think of anything intelligent to
    >>>>say
    >>>>in reply. How lazy is that?!!

    >
    ><SNIP>
    >
    >(and god knows there's often a lot of that :) ).
    >
    ><SNIP>
    >
    >Couldn't agree more.


    However, you do need to be selective ... and leave in sufficient so that
    what you type makes some kind of sense :) :)


    Bruce

    ----------------------------------------
    I believe you find life such a problem because you think there are the good
    people and the bad people. You're wrong, of course. There are, always and
    only, the bad people, but some of them are on opposite sides.

    Lord Vetinari in Guards ! Guards ! - Terry Pratchett

    Caution ===== followups may have been changed to relevant groups
    (if there were any)
     
    Bruce Sinclair, Mar 30, 2006
    #17
  18. In article <>, "impossible" <> wrote:
    >"Bruce Sinclair" <>
    >wrote in message news:9sFWf.9509$...
    >> In article <>, "impossible"
    >> <> wrote:
    >> (snip)
    >>>Selective quoting is misquoting. People tend to do that when they
    >>>want
    >>>to score a point but can't really think of anything intelligent to
    >>>say
    >>>in reply. How lazy is that?!!

    ><SNIP>
    >> reply to the one or 2 points you want to.


    >Couldn't find a point worth replying to. But thanks all the same.


    ... then the point is ... not to. Easy enough ... see how simple it is once
    it's explained to you ? Now try it - nothing here worth replying to :)






    Bruce

    ----------------------------------------
    I believe you find life such a problem because you think there are the good
    people and the bad people. You're wrong, of course. There are, always and
    only, the bad people, but some of them are on opposite sides.

    Lord Vetinari in Guards ! Guards ! - Terry Pratchett

    Caution ===== followups may have been changed to relevant groups
    (if there were any)
     
    Bruce Sinclair, Mar 30, 2006
    #18
  19. Matthew Poole

    SchoolTech Guest

    Matthew Poole wrote:
    > http://computerworld.co.nz/news.nsf/NL/63C41A193FC40C05CC25713F00172749
    >
    > 'With Microsoft saying that it may wait until April 11 to patch a critical
    > vulnerability in its Internet Explorer browser, security vendor eEye
    > Digital Security has released what it calls a "temporary" patch to address
    > the problem.
    > The bug, which concerns the way IE processes web pages using the
    > createTextRange() method, is now being exploited by attackers on hundreds
    > of malicious web sites. Users who might be tricked into visiting these web
    > sites could have unauthorised software installed on their computers,
    > security experts warn.'
    >
    > Yeah, that's definitely a sign of a company that's committed to security.
    > NOT!


    MS's patch will be thoroughly tested.
    Does eEye have any significant test resources?
     
    SchoolTech, Mar 30, 2006
    #19
  20. On Thu, 30 Mar 2006 18:11:26 +1200, someone purporting to be SchoolTech
    didst scrawl:

    > Matthew Poole wrote:

    *SNIP*
    > MS's patch will be thoroughly tested.

    Yes, we all know about their "thorough testing". Though I grant that they
    haven't produced any real doozies since XP SP2.

    > Does eEye have any significant test resources?

    No idea. How hard is it to test a patch that turns off a particular
    scripting function? This isn't rocket science.

    --
    Matthew Poole
    "Don't use force. Get a bigger hammer."
     
    Matthew Poole, Mar 30, 2006
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Silverstrand

    Birthday time once again!

    Silverstrand, Jul 7, 2005, in forum: The Lounge
    Replies:
    6
    Views:
    1,516
    PUTALE
    Jul 10, 2005
  2. amy
    Replies:
    8
    Views:
    621
  3. Allan
    Replies:
    0
    Views:
    570
    Allan
    Oct 13, 2005
  4. Allan
    Replies:
    0
    Views:
    1,086
    Allan
    Jan 4, 2006
  5. Andrew Ahearne
    Replies:
    6
    Views:
    439
    Wayne Wastier
    Aug 25, 2005
Loading...

Share This Page