IE vulnerabilities...



Imhotep
07-09-2005, 10:51 PM
http://it.slashdot.org/article.pl?sid=05/05/15/139208&from=rss

-Im

Karl Levinson [x y], mvp
07-09-2005, 10:51 PM
"Imhotep" wrote:

> http://it.slashdot.org/article.pl?sid=05/05/15/139208&from=rss

Totally bogus, manufactured nonsense.

Some people will always prefer open source over Microsoft software.
Unfortunately for us, like a Jehovah's Witness who knocks on your door once a
month, those people won't stop talking about it.

The "huge hole" these articles are referring to is the typical 30 to 45 day
time it takes for MS to release a patch. This has been the case for years,
so it must have been a very slow news day for someone to post this as "news."
I for one am happy that MS takes the time to properly beta test patches.
Since these vulnerabilities are not public, MS has time to spare on this and
you and I are not at huge risk. This is not the proof that MS is sluggish
and doesn't care about security that these articles are claiming. Given that
we know nothing about these vulnerabilities, except that user interaction is
required to exploit them, and presumably no one but eeye has the exploit
code, it's a little premature for anyone to be claiming that MS is leaving us
at risk to "huge .

Microsoft, Oracle and other companies have switched to releasing security
updates once per month [or once per quarter in Oracle's case]. This was done
by customer request and met with general approval from the public. No one is
screaming that Oracle doesn't care about security or is leaving customers at
risk because they're only releasing patches every three months, nor should
they be.

Incidentally, the "news sources" that "anonymous" at slashdot claims is
saying "are reporting that in comparison with the Mozilla Foundation's prompt
fix for the recently reported Mozilla 1.0.3 vulnerabilities MS appear to be
leaving a large window for the possible malicious exploitation of these
flaws" reads more like a blog than an actual source of news.

-------------------------
Microsoft Security FAQ:
http://www.securityadmin.info

Jack
07-09-2005, 10:51 PM
Both the vulnerabilities were reported/disclosed on the same day. Firefox has
already been fixed (within a week of disclosure) so I don't see why you would
set it as an example. The open source community does seem to get patches out
a lot faster (and they have less money). Microsoft was and is always slugish
in regards to patching vulnerabilities (it's not alone but it's the most
noticable) as well as making use of their own (*nix and mac ripoffs) features
(such as permissions on NTFS) to better protect the users from executing
things randomly (SP2 for Windows XP is a starting point but still does not do
the job). Face it...

On another note, what the hell is wrong with the way text is displayed on
these forums? I mean this defacement/XSS protection is a piece of junk -- the
messages are not displayed correctly in web browsers at least. Hopefully
that'll gets fixed soon.

Roger Abell
07-09-2005, 10:51 PM
"Jack" </dev/null> wrote in message
news:E1E03C47-1018-48F5-8FE6-373CF1A9F377@microsoft.com...
> Both the vulnerabilities were reported/disclosed on the same day. Firefox
has
> already been fixed (within a week of disclosure) so I don't see why you
would
> set it as an example. The open source community does seem to get patches
out
> a lot faster (and they have less money). Microsoft was and is always
slugish
> in regards to patching vulnerabilities (it's not alone but it's the most
> noticable) as well as making use of their own (*nix and mac ripoffs)
features
> (such as permissions on NTFS) to better protect the users from executing
> things randomly (SP2 for Windows XP is a starting point but still does not
do
> the job). Face it...
>

Fair enough observation, but consider, MS has something like 4 or 5
supported versions of IE afloat out there, and each of these is released
in some 30 or so languages. Do the numbers and figure that the delay is
not in writing the patch and researching further implications, but in the
regression testing for all the supported variations . . .
I am not so sure the Firefox community is ready to deal with that
sort of legacy and multi-locale client base, but know they do not yet
have to and so have freedom to appear more agile today.

> On another note, what the hell is wrong with the way text is displayed on
> these forums? I mean this defacement/XSS protection is a piece of junk --
the
> messages are not displayed correctly in web browsers at least. Hopefully
> that'll gets fixed soon.

Imhotep
07-09-2005, 10:51 PM
Roger Abell wrote:

> "Jack" </dev/null> wrote in message
> news:E1E03C47-1018-48F5-8FE6-373CF1A9F377@microsoft.com...
>> Both the vulnerabilities were reported/disclosed on the same day. Firefox
> has
>> already been fixed (within a week of disclosure) so I don't see why you
> would
>> set it as an example. The open source community does seem to get patches
> out
>> a lot faster (and they have less money). Microsoft was and is always
> slugish
>> in regards to patching vulnerabilities (it's not alone but it's the most
>> noticable) as well as making use of their own (*nix and mac ripoffs)
> features
>> (such as permissions on NTFS) to better protect the users from executing
>> things randomly (SP2 for Windows XP is a starting point but still does
>> not
> do
>> the job). Face it...
>>
>
> Fair enough observation, but consider, MS has something like 4 or 5
> supported versions of IE afloat out there, and each of these is released
> in some 30 or so languages.

First the number of languages really does not have to much to do with
it...this is yet another cross scripting vulnerability. It has to do with
the code not the languages that appear on the buttons.

> Do the numbers and figure that the delay is
> not in writing the patch and researching further implications, but in the
> regression testing for all the supported variations . . .

Lame excuse. When it comes to critical patches get more resources if you
need it. GET IT DONE!

> I am not so sure the Firefox community is ready to deal with that
> sort of legacy and multi-locale client base, but know they do not yet
> have to and so have freedom to appear more agile today.

There are many browsers that support many, many languages. This is
irrelevant as it is the code that has some serious security flaws. Hence
the only language that matters here is C++....

Why are you taking the article so damn personal. I posted it to let people
know that there are serious security holes that will not be fixed for a
while...Does everything have to be pro-microsoft/anti-microsoft? Are things
really that black and white in this newsgroup?

>> On another note, what the hell is wrong with the way text is displayed on
>> these forums? I mean this defacement/XSS protection is a piece of junk --
> the
>> messages are not displayed correctly in web browsers at least. Hopefully
>> that'll gets fixed soon.

Are the text from my postings not showing up correctly?

-Im

Srikrishna Komatineni
07-09-2005, 10:51 PM
So...
Yes we do care about security..but that doesnt mean lock everything and
wander somewhere...security is very much important but we need to consider
the user experience...
With the latest SP & the 2003 IE is much better...



"Imhotep" <NoSpam@nothanks.net> wrote in message
news:ueRhe.81134$tQ.44590@fed1read06...
> http://it.slashdot.org/article.pl?sid=05/05/15/139208&from=rss
>
> -Im
>

andy smart
07-09-2005, 10:51 PM
Imhotep wrote:
> Roger Abell wrote:
>
>
>>"Jack" </dev/null> wrote in message
>>news:E1E03C47-1018-48F5-8FE6-373CF1A9F377@microsoft.com...
>>
>>>Both the vulnerabilities were reported/disclosed on the same day. Firefox
>>
>>has
>>
>>>already been fixed (within a week of disclosure) so I don't see why you
>>
>>would
>>
>>>set it as an example. The open source community does seem to get patches
>>
>>out
>>
>>>a lot faster (and they have less money). Microsoft was and is always
>>
>>slugish
>>
>>>in regards to patching vulnerabilities (it's not alone but it's the most
>>>noticable) as well as making use of their own (*nix and mac ripoffs)
>>
>>features
>>
>>>(such as permissions on NTFS) to better protect the users from executing
>>>things randomly (SP2 for Windows XP is a starting point but still does
>>>not
>>
>>do
>>
>>>the job). Face it...
>>>
>>
>>Fair enough observation, but consider, MS has something like 4 or 5
>>supported versions of IE afloat out there, and each of these is released
>>in some 30 or so languages.
>
>
> First the number of languages really does not have to much to do with
> it...this is yet another cross scripting vulnerability. It has to do with
> the code not the languages that appear on the buttons.
>
>
>>Do the numbers and figure that the delay is
>>not in writing the patch and researching further implications, but in the
>>regression testing for all the supported variations . . .
>
>
> Lame excuse. When it comes to critical patches get more resources if you
> need it. GET IT DONE!

I don't in principal disagree with that as an idea. But of course more
resources on this project would mean either a)employ more bodies and put
up prices to cover the cost or b)divert employees from other projects.
The big advantage that Mozilla has is that they are essentially focussed
on one project area and so all their resources can be apportioned to
that - the disadvantage is that they can't target their staff onto projects.


>
>
>>I am not so sure the Firefox community is ready to deal with that
>>sort of legacy and multi-locale client base, but know they do not yet
>>have to and so have freedom to appear more agile today.
>
>
> There are many browsers that support many, many languages. This is
> irrelevant as it is the code that has some serious security flaws. Hence
> the only language that matters here is C++....
>
> Why are you taking the article so damn personal. I posted it to let people
> know that there are serious security holes that will not be fixed for a
> while...Does everything have to be pro-microsoft/anti-microsoft? Are things
> really that black and white in this newsgroup?
>
>
>>>On another note, what the hell is wrong with the way text is displayed on
>>>these forums? I mean this defacement/XSS protection is a piece of junk --
>>
>>the
>>
>>>messages are not displayed correctly in web browsers at least. Hopefully
>>>that'll gets fixed soon.
>
>
> Are the text from my postings not showing up correctly?
>
> -Im

Roger Abell
07-09-2005, 10:51 PM
"Imhotep" <NoSpam@nothanks.net> wrote in message
news:s8iie.73$Wo.26@fed1read03...
> Roger Abell wrote:
>
> > "Jack" </dev/null> wrote in message
> > news:E1E03C47-1018-48F5-8FE6-373CF1A9F377@microsoft.com...
> >> Both the vulnerabilities were reported/disclosed on the same day.
Firefox
> > has
> >> already been fixed (within a week of disclosure) so I don't see why you
> > would
> >> set it as an example. The open source community does seem to get
patches
> > out
> >> a lot faster (and they have less money). Microsoft was and is always
> > slugish
> >> in regards to patching vulnerabilities (it's not alone but it's the
most
> >> noticable) as well as making use of their own (*nix and mac ripoffs)
> > features
> >> (such as permissions on NTFS) to better protect the users from
executing
> >> things randomly (SP2 for Windows XP is a starting point but still does
> >> not
> > do
> >> the job). Face it...
> >>
> >
> > Fair enough observation, but consider, MS has something like 4 or 5
> > supported versions of IE afloat out there, and each of these is released
> > in some 30 or so languages.
>
> First the number of languages really does not have to much to do with
> it...this is yet another cross scripting vulnerability. It has to do with
> the code not the languages that appear on the buttons.
>

You are making assumption that all locale differences are just
in resource files for the display text. In fact though different
OS have multilanguage addon which presents different binaries
that need to be used also, making a pretty big test matrix when
you take OS host x 32/64 x IE versions x locales

> > Do the numbers and figure that the delay is
> > not in writing the patch and researching further implications, but in
the
> > regression testing for all the supported variations . . .
>
> Lame excuse. When it comes to critical patches get more resources if you
> need it. GET IT DONE!
>
> > I am not so sure the Firefox community is ready to deal with that
> > sort of legacy and multi-locale client base, but know they do not yet
> > have to and so have freedom to appear more agile today.
>
> There are many browsers that support many, many languages. This is
> irrelevant as it is the code that has some serious security flaws. Hence
> the only language that matters here is C++....
>
> Why are you taking the article so damn personal. I posted it to let people
> know that there are serious security holes that will not be fixed for a
> while...Does everything have to be pro-microsoft/anti-microsoft? Are
things
> really that black and white in this newsgroup?
>
> >> On another note, what the hell is wrong with the way text is displayed
on
> >> these forums? I mean this defacement/XSS protection is a piece of
junk --
> > the
> >> messages are not displayed correctly in web browsers at least.
Hopefully
> >> that'll gets fixed soon.
>
> Are the text from my postings not showing up correctly?
>
> -Im

Imhotep
07-09-2005, 10:51 PM
Roger Abell wrote:

> "Imhotep" <NoSpam@nothanks.net> wrote in message
> news:s8iie.73$Wo.26@fed1read03...
>> Roger Abell wrote:
>>
>> > "Jack" </dev/null> wrote in message
>> > news:E1E03C47-1018-48F5-8FE6-373CF1A9F377@microsoft.com...
>> >> Both the vulnerabilities were reported/disclosed on the same day.
> Firefox
>> > has
>> >> already been fixed (within a week of disclosure) so I don't see why
>> >> you
>> > would
>> >> set it as an example. The open source community does seem to get
> patches
>> > out
>> >> a lot faster (and they have less money). Microsoft was and is always
>> > slugish
>> >> in regards to patching vulnerabilities (it's not alone but it's the
> most
>> >> noticable) as well as making use of their own (*nix and mac ripoffs)
>> > features
>> >> (such as permissions on NTFS) to better protect the users from
> executing
>> >> things randomly (SP2 for Windows XP is a starting point but still does
>> >> not
>> > do
>> >> the job). Face it...
>> >>
>> >
>> > Fair enough observation, but consider, MS has something like 4 or 5
>> > supported versions of IE afloat out there, and each of these is
>> > released in some 30 or so languages.
>>
>> First the number of languages really does not have to much to do with
>> it...this is yet another cross scripting vulnerability. It has to do with
>> the code not the languages that appear on the buttons.
>>
>
> You are making assumption that all locale differences are just
> in resource files for the display text. In fact though different
> OS have multilanguage addon which presents different binaries
> that need to be used also, making a pretty big test matrix when
> you take OS host x 32/64 x IE versions x locales

Lame excuse. This is a critical security flaw, actually at least two of
them. This is also the biggest software company in the World. FIX THE DAMN
CODE SO MORE PEOPLE DO NOT GET INFECTED! Enough with the lame excuse they
are falling on deaf ears....

>> > Do the numbers and figure that the delay is
>> > not in writing the patch and researching further implications, but in
> the
>> > regression testing for all the supported variations . . .
>>
>> Lame excuse. When it comes to critical patches get more resources if you
>> need it. GET IT DONE!
>>
>> > I am not so sure the Firefox community is ready to deal with that
>> > sort of legacy and multi-locale client base, but know they do not yet
>> > have to and so have freedom to appear more agile today.
>>
>> There are many browsers that support many, many languages. This is
>> irrelevant as it is the code that has some serious security flaws. Hence
>> the only language that matters here is C++....
>>
>> Why are you taking the article so damn personal. I posted it to let
>> people know that there are serious security holes that will not be fixed
>> for a while...Does everything have to be pro-microsoft/anti-microsoft?
>> Are
> things
>> really that black and white in this newsgroup?
>>
>> >> On another note, what the hell is wrong with the way text is displayed
> on
>> >> these forums? I mean this defacement/XSS protection is a piece of
> junk --
>> > the
>> >> messages are not displayed correctly in web browsers at least.
> Hopefully
>> >> that'll gets fixed soon.
>>
>> Are the text from my postings not showing up correctly?
>>
>> -Im

Imhotep
07-09-2005, 10:51 PM
andy smart wrote:

> Imhotep wrote:
>> Roger Abell wrote:
>>
>>
>>>"Jack" </dev/null> wrote in message
>>>news:E1E03C47-1018-48F5-8FE6-373CF1A9F377@microsoft.com...
>>>
>>>>Both the vulnerabilities were reported/disclosed on the same day.
>>>>Firefox
>>>
>>>has
>>>
>>>>already been fixed (within a week of disclosure) so I don't see why you
>>>
>>>would
>>>
>>>>set it as an example. The open source community does seem to get patches
>>>
>>>out
>>>
>>>>a lot faster (and they have less money). Microsoft was and is always
>>>
>>>slugish
>>>
>>>>in regards to patching vulnerabilities (it's not alone but it's the most
>>>>noticable) as well as making use of their own (*nix and mac ripoffs)
>>>
>>>features
>>>
>>>>(such as permissions on NTFS) to better protect the users from executing
>>>>things randomly (SP2 for Windows XP is a starting point but still does
>>>>not
>>>
>>>do
>>>
>>>>the job). Face it...
>>>>
>>>
>>>Fair enough observation, but consider, MS has something like 4 or 5
>>>supported versions of IE afloat out there, and each of these is released
>>>in some 30 or so languages.
>>
>>
>> First the number of languages really does not have to much to do with
>> it...this is yet another cross scripting vulnerability. It has to do with
>> the code not the languages that appear on the buttons.
>>
>>
>>>Do the numbers and figure that the delay is
>>>not in writing the patch and researching further implications, but in the
>>>regression testing for all the supported variations . . .
>>
>>
>> Lame excuse. When it comes to critical patches get more resources if you
>> need it. GET IT DONE!
>
> I don't in principal disagree with that as an idea. But of course more
> resources on this project would mean either a)employ more bodies and put
> up prices to cover the cost or b)divert employees from other projects.
> The big advantage that Mozilla has is that they are essentially focussed
> on one project area and so all their resources can be apportioned to
> that - the disadvantage is that they can't target their staff onto
> projects.

Yet another lame excuse. Is it not that Microsoft brags that they have
billions in cash reserve? Are they not the biggest software company on the
planet? Have they not been touting their new "security Initiative"? It is
pretty sad that they are sweeping this under the rug and in the process
getting beat by a tiny un-influential group of coders....how pathetic.

Software bugs are common in all software. However, sweeping them under the
rug and letting millions of people be vulnerable to losing their critical
data is unacceptable! How many people will lose their banking data, their
personal data because off this. I hope people wise up and start thinking
class action lawsuit...

>>>I am not so sure the Firefox community is ready to deal with that
>>>sort of legacy and multi-locale client base, but know they do not yet
>>>have to and so have freedom to appear more agile today.
>>
>>
>> There are many browsers that support many, many languages. This is
>> irrelevant as it is the code that has some serious security flaws. Hence
>> the only language that matters here is C++....
>>
>> Why are you taking the article so damn personal. I posted it to let
>> people know that there are serious security holes that will not be fixed
>> for a while...Does everything have to be pro-microsoft/anti-microsoft?
>> Are things really that black and white in this newsgroup?
>>
>>
>>>>On another note, what the hell is wrong with the way text is displayed
>>>>on these forums? I mean this defacement/XSS protection is a piece of
>>>>junk --
>>>
>>>the
>>>
>>>>messages are not displayed correctly in web browsers at least. Hopefully
>>>>that'll gets fixed soon.
>>
>>
>> Are the text from my postings not showing up correctly?
>>
>> -Im

Karl Levinson [x y], mvp
07-09-2005, 10:51 PM
"Imhotep" wrote:

> First the number of languages really does not have to much to do with
> it...this is yet another cross scripting vulnerability. It has to do with
> the code not the languages that appear on the buttons.

> Lame excuse. When it comes to critical patches get more resources if you
> need it. GET IT DONE!

> There are many browsers that support many, many languages. This is
> irrelevant as it is the code that has some serious security flaws. Hence
> the only language that matters here is C++....

I really think you are mistaken on this one line of thinking. Microsoft
reportedly claims many of their patches take an hour to code and 40 days to
test. I have to assume this is true, because otherwise, Microsoft is wasting
a lot of their time and money for no good reason. I am convinced that when
it comes to patching, MS is not being cheap, lazy or uncaring. I don't think
it is possible for MS to speed up the patching process, unless perhaps if
they radically redesigned their OS architecture. I understand the resources
for testing includes MS customers, not just paid MS staff, and they have a
fair number of them.

Note also that when you download a patch [that only contains the affected
files], you frequently have to select the language for the patch, suggesting
that there are different executables for different OS language version. All
of those different patch versions have to be tested.

Having said that, I suppose one could argue whether or not it's Microsoft's
fault for designing a system where localized language support causes such
problems and where the browser integration with the OS requires significant
regression testing... If you could disable IE and use another browser [or on
a server, no browser at all], for example... See, I'm not 100% pro-MS.


> Why are you taking the article so damn personal. I posted it to let people
> know that there are serious security holes that will not be fixed for a
> while...Does everything have to be pro-microsoft/anti-microsoft? Are things
> really that black and white in this newsgroup?

That's fine, I appreciate your posting this. I hope it was clear that my
beef was with the people that wrote the various articles, not with you for
posting it. While it's a true statement that MS patches take at least 30 to
45 days to be released and probably always will, and that in some cases this
has put some MS customers at risk, most of the other conclusions made in the
various articles had an anti-MS slant, and wrongly so. I've been known to
criticize MS too, but if I think the criticism is being made for the wrong
reason, I'll point it out.

Imhotep
07-09-2005, 10:51 PM
Srikrishna Komatineni wrote:

> So...
> Yes we do care about security..but that doesnt mean lock everything and
> wander somewhere...security is very much important but we need to
> consider the user experience...
> With the latest SP & the 2003 IE is much better...

I do not think getting infected or losing your banking records classfies as
a good user experience. Do you?

Fix your damn code and stop the lame excuses. Nobody believes them anymore
anyway...

> "Imhotep" <NoSpam@nothanks.net> wrote in message
> news:ueRhe.81134$tQ.44590@fed1read06...
>> http://it.slashdot.org/article.pl?sid=05/05/15/139208&from=rss
>>
>> -Im
>>

Mark Randall
07-09-2005, 10:51 PM
I hereby challenge YOU to make a better operating system and web browser.

--
- Mark Randall
http://zetech.swehli.com

"Imhotep" <NoSpam@nothanks.net> wrote in message
news:C4sie.42588$yV4.31545@okepread03...
> Srikrishna Komatineni wrote:
>
>> So...
>> Yes we do care about security..but that doesnt mean lock everything and
>> wander somewhere...security is very much important but we need to
>> consider the user experience...
>> With the latest SP & the 2003 IE is much better...
>
> I do not think getting infected or losing your banking records classfies
> as
> a good user experience. Do you?
>
> Fix your damn code and stop the lame excuses. Nobody believes them anymore
> anyway...
>
>> "Imhotep" <NoSpam@nothanks.net> wrote in message
>> news:ueRhe.81134$tQ.44590@fed1read06...
>>> http://it.slashdot.org/article.pl?sid=05/05/15/139208&from=rss
>>>
>>> -Im
>>>
>

Imhotep
07-09-2005, 10:51 PM
Mark Randall wrote:

> I hereby challenge YOU to make a better operating system and web browser.
>


OK. Give me all the money that MS has and you got it! Retard.

-Im

Jack
07-09-2005, 10:51 PM
"Karl Levinson [x y], mvp" wrote:
> I really think you are mistaken on this one line of thinking. Microsoft
> reportedly claims many of their patches take an hour to code and 40 days to
> test. I have to assume this is true, because otherwise, Microsoft is wasting
> a lot of their time and money for no good reason.

Unfortunately, Microsoft is wasting a lot of time and money for no good
reason. Once again it is not alone but is most noticable for its size and its
bragging. It seems as though the employees are pretending to work to rip the
company off. It really does not take 40 days or so, to write and test a patch
as demonstrated by the open-source community. The language support could of
been fixed years ago with an i18n implementation, which is another sign of
wasting time and money. It seems as though more time is spent on marketing
and excuses than developing software and fixing bugs.

Mark Randall
07-09-2005, 10:51 PM
I think the 40 day testing is simply this... unlike open source, if you
distribute a patch to a billion computers and then find out there is a bug,
you have 1 billion very unhappy customers.

--
- Mark Randall
http://zetech.swehli.com

"Jack" </dev/null> wrote in message
news:8F5D5F27-8307-408C-9CA1-9FEB1574B498@microsoft.com...
> "Karl Levinson [x y], mvp" wrote:
>> I really think you are mistaken on this one line of thinking. Microsoft
>> reportedly claims many of their patches take an hour to code and 40 days
>> to
>> test. I have to assume this is true, because otherwise, Microsoft is
>> wasting
>> a lot of their time and money for no good reason.
>
> Unfortunately, Microsoft is wasting a lot of time and money for no good
> reason. Once again it is not alone but is most noticable for its size and
> its
> bragging. It seems as though the employees are pretending to work to rip
> the
> company off. It really does not take 40 days or so, to write and test a
> patch
> as demonstrated by the open-source community. The language support could
> of
> been fixed years ago with an i18n implementation, which is another sign of
> wasting time and money. It seems as though more time is spent on marketing
> and excuses than developing software and fixing bugs.

Roger Abell
07-09-2005, 10:51 PM
"Imhotep" <NoSpam@nothanks.net> wrote in message
news:KSrie.42468$yV4.24133@okepread03...
> Roger Abell wrote:
>
> > "Imhotep" <NoSpam@nothanks.net> wrote in message
> > news:s8iie.73$Wo.26@fed1read03...
> >> Roger Abell wrote:
> >>
> >> > "Jack" </dev/null> wrote in message
> >> > news:E1E03C47-1018-48F5-8FE6-373CF1A9F377@microsoft.com...
> >> >> Both the vulnerabilities were reported/disclosed on the same day.
> > Firefox
> >> > has
> >> >> already been fixed (within a week of disclosure) so I don't see why
> >> >> you
> >> > would
> >> >> set it as an example. The open source community does seem to get
> > patches
> >> > out
> >> >> a lot faster (and they have less money). Microsoft was and is always
> >> > slugish
> >> >> in regards to patching vulnerabilities (it's not alone but it's the
> > most
> >> >> noticable) as well as making use of their own (*nix and mac ripoffs)
> >> > features
> >> >> (such as permissions on NTFS) to better protect the users from
> > executing
> >> >> things randomly (SP2 for Windows XP is a starting point but still
does
> >> >> not
> >> > do
> >> >> the job). Face it...
> >> >>
> >> >
> >> > Fair enough observation, but consider, MS has something like 4 or 5
> >> > supported versions of IE afloat out there, and each of these is
> >> > released in some 30 or so languages.
> >>
> >> First the number of languages really does not have to much to do with
> >> it...this is yet another cross scripting vulnerability. It has to do
with
> >> the code not the languages that appear on the buttons.
> >>
> >
> > You are making assumption that all locale differences are just
> > in resource files for the display text. In fact though different
> > OS have multilanguage addon which presents different binaries
> > that need to be used also, making a pretty big test matrix when
> > you take OS host x 32/64 x IE versions x locales
>
> Lame excuse. This is a critical security flaw, actually at least two of
> them. This is also the biggest software company in the World. FIX THE DAMN
> CODE SO MORE PEOPLE DO NOT GET INFECTED! Enough with the lame excuse they
> are falling on deaf ears....
>

You do not need to yell at me. I am not they.
I also have not expressed my opinion nor attempted to make excuses.
I have however attempted to allow some understanding of the issues
faced as compared to products where there is a single supported
version, singular test matrix, etc..

> >> > Do the numbers and figure that the delay is
> >> > not in writing the patch and researching further implications, but in
> > the
> >> > regression testing for all the supported variations . . .
> >>
> >> Lame excuse. When it comes to critical patches get more resources if
you
> >> need it. GET IT DONE!
> >>
> >> > I am not so sure the Firefox community is ready to deal with that
> >> > sort of legacy and multi-locale client base, but know they do not yet
> >> > have to and so have freedom to appear more agile today.
> >>
> >> There are many browsers that support many, many languages. This is
> >> irrelevant as it is the code that has some serious security flaws.
Hence
> >> the only language that matters here is C++....
> >>
> >> Why are you taking the article so damn personal. I posted it to let
> >> people know that there are serious security holes that will not be
fixed
> >> for a while...Does everything have to be pro-microsoft/anti-microsoft?
> >> Are
> > things
> >> really that black and white in this newsgroup?
> >>
> >> >> On another note, what the hell is wrong with the way text is
displayed
> > on
> >> >> these forums? I mean this defacement/XSS protection is a piece of
> > junk --
> >> > the
> >> >> messages are not displayed correctly in web browsers at least.
> > Hopefully
> >> >> that'll gets fixed soon.
> >>
> >> Are the text from my postings not showing up correctly?
> >>
> >> -Im
>

Roger Abell
07-09-2005, 10:51 PM
PS.
A more appropriate newsgroup would have been
microsoft.public.internetexplorer.security
if you really wanted to get the discussion through
to that specific product group.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Imhotep" <NoSpam@nothanks.net> wrote in message
news:ueRhe.81134$tQ.44590@fed1read06...
> http://it.slashdot.org/article.pl?sid=05/05/15/139208&from=rss
>
> -Im
>

Karl Levinson, mvp
07-09-2005, 10:51 PM
"Jack" </dev/null> wrote in message
news:8F5D5F27-8307-408C-9CA1-9FEB1574B498@microsoft.com...

> Unfortunately, Microsoft is wasting a lot of time and money for no good
> reason. Once again it is not alone but is most noticable for its size and
its
> bragging. It seems as though the employees are pretending to work to rip
the
> company off. The language support could of
> been fixed years ago with an i18n implementation, which is another sign of
> wasting time and money. It seems as though more time is spent on marketing
> and excuses than developing software and fixing bugs.

The problem with your reasoning is motive. If it's really as easy as you
say, what possible motive could Microsoft possibly have for delaying
releasing patches? Do you really think Microsoft, a company with tons of
money to throw around and seems to feel free to do so, would intentionally
choose not to hire a few more people? People are cheap to hire, especially
when you're talking about the number of paying customer that get irate when
security problems hit them. When you consider how much money Microsoft
stands to lose with each security vulnerability in the news, Microsoft would
be a fool to choose not to hire a few extra people if that's all it took.
If you think Microsoft is cheap on hiring people, you should know that MS is
reportedly the worlds largest employer of CISSPs, a certification that not
loads of people have and that costs employers extra in salary.

> It really does not take 40 days or so, to write and test a patch
> as demonstrated by the open-source community.

What the open source community has demonstrated, via the open source
mangleme tool and all the bugs in Mozilla, is that code like Internet
Explorer 6 has high code quality and is surprisingly resistant to things
like malformed HTML such as the so-called IE IFRAME vulnerability from
download.ject. The mangleme tool showed that every other open source
browser did very poorly when subjected to the same malformed HTML. But the
vulnerability you and the world remember is the one single IFRAME
vulnerability that tool found. Why is that?

I assume you've heard of the Mozilla bug from 2000 that still hasn't been
fixed? That's four or five years to fix, and counting.

If you're not a Microsoft customer, then none of this affects you and you
shouldn't bother rehashing this old argument. If you are a Microsoft
customer, then you can switch or get off the pot. I really have to wonder
what you gain by coming here to a tech support forum to argue with people
that don't work for Microsoft and have little say in how the company is run.

Imhotep
07-09-2005, 10:51 PM
Roger Abell wrote:

> PS.
> A more appropriate newsgroup would have been
> microsoft.public.internetexplorer.security
> if you really wanted to get the discussion through
> to that specific product group.
>

Well, this one seemed like the general place for it. Next time I will cross
post. Thanks.

-IM

Imhotep
07-09-2005, 10:51 PM
Karl Levinson, mvp wrote:

>
> "Jack" </dev/null> wrote in message
> news:8F5D5F27-8307-408C-9CA1-9FEB1574B498@microsoft.com...
>
>> Unfortunately, Microsoft is wasting a lot of time and money for no good
>> reason. Once again it is not alone but is most noticable for its size and
> its
>> bragging. It seems as though the employees are pretending to work to rip
> the
>> company off. The language support could of
>> been fixed years ago with an i18n implementation, which is another sign
>> of wasting time and money. It seems as though more time is spent on
>> marketing and excuses than developing software and fixing bugs.
>
> The problem with your reasoning is motive. If it's really as easy as you
> say, what possible motive could Microsoft possibly have for delaying
> releasing patches? Do you really think Microsoft, a company with tons of
> money to throw around and seems to feel free to do so, would intentionally
> choose not to hire a few more people? People are cheap to hire,
> especially when you're talking about the number of paying customer that
> get irate when
> security problems hit them. When you consider how much money Microsoft
> stands to lose with each security vulnerability in the news, Microsoft
> would be a fool to choose not to hire a few extra people if that's all it
> took. If you think Microsoft is cheap on hiring people, you should know
> that MS is reportedly the worlds largest employer of CISSPs, a
> certification that not loads of people have and that costs employers extra
> in salary.

I suggest you ask Microsoft. Why they take so long to fix security holes is
a question for them not me. Why are they NOT going fix the latest security
holes in IE quickly? Again, ask Microsoft.

>> It really does not take 40 days or so, to write and test a patch
>> as demonstrated by the open-source community.
>
> What the open source community has demonstrated, via the open source
> mangleme tool and all the bugs in Mozilla, is that code like Internet
> Explorer 6 has high code quality and is surprisingly resistant to things
> like malformed HTML such as the so-called IE IFRAME vulnerability from
> download.ject. The mangleme tool showed that every other open source
> browser did very poorly when subjected to the same malformed HTML. But
> the vulnerability you and the world remember is the one single IFRAME
> vulnerability that tool found. Why is that?

Come one. IE has had it's share of security problems even over the last
year! Second, what does this have to do with the original post? The
original post was to notify people that there are, at least, two new
critical security flaws in IE and that they are not going to be fixed soon.
What does that have to do with Mozilla or anyone else???

> I assume you've heard of the Mozilla bug from 2000 that still hasn't been
> fixed? That's four or five years to fix, and counting.

Come on! Fact: there are at least two critical security flaws in IE that are
not going to be fixed soon. FACT!

Again, that FACT has nothing to do with any other browser...this post is not
about a comparison, it is about a warning that these flaws are not going to
be fixed soon.

> If you're not a Microsoft customer, then none of this affects you and you
> shouldn't bother rehashing this old argument.

You are trying to make this "a rehashing of an old argument" I am simply
passing on a warning to people to protect themselves...

> If you are a Microsoft
> customer, then you can switch or get off the pot.

How f'n arrogant. I am asking them to fix their damn code and do it in a
timely fashion. I think we all deserve that don't you?

> I really have to wonder
> what you gain by coming here to a tech support forum to argue with people
> that don't work for Microsoft and have little say in how the company is
> run.

Again, it is a warning that there are, at least two, security holes in IE
that, apparently are not going to be fixed soon. I am passing on
information so people can, hopefully, protect themselves. You are wasting
everyone's time by trying to bait me into a "browser flame war". I could
care less...

Don't know what your motives are and frankly don't care...

-Im

Imhotep
07-09-2005, 10:51 PM
Mark Randall wrote:

> I think the 40 day testing is simply this... unlike open source, if you
> distribute a patch to a billion computers and then find out there is a
> bug, you have 1 billion very unhappy customers.
>


...and if you do not patch two critical security holes in a timely manner and
a million customers get "infected" you get what?

-Im

Imhotep
07-09-2005, 10:51 PM
Roger Abell wrote:

> "Imhotep" <NoSpam@nothanks.net> wrote in message
> news:KSrie.42468$yV4.24133@okepread03...
>> Roger Abell wrote:
>>
>> > "Imhotep" <NoSpam@nothanks.net> wrote in message
>> > news:s8iie.73$Wo.26@fed1read03...
>> >> Roger Abell wrote:
>> >>
>> >> > "Jack" </dev/null> wrote in message
>> >> > news:E1E03C47-1018-48F5-8FE6-373CF1A9F377@microsoft.com...
>> >> >> Both the vulnerabilities were reported/disclosed on the same day.
>> > Firefox
>> >> > has
>> >> >> already been fixed (within a week of disclosure) so I don't see why
>> >> >> you
>> >> > would
>> >> >> set it as an example. The open source community does seem to get
>> > patches
>> >> > out
>> >> >> a lot faster (and they have less money). Microsoft was and is
>> >> >> always
>> >> > slugish
>> >> >> in regards to patching vulnerabilities (it's not alone but it's the
>> > most
>> >> >> noticable) as well as making use of their own (*nix and mac
>> >> >> ripoffs)
>> >> > features
>> >> >> (such as permissions on NTFS) to better protect the users from
>> > executing
>> >> >> things randomly (SP2 for Windows XP is a starting point but still
> does
>> >> >> not
>> >> > do
>> >> >> the job). Face it...
>> >> >>
>> >> >
>> >> > Fair enough observation, but consider, MS has something like 4 or 5
>> >> > supported versions of IE afloat out there, and each of these is
>> >> > released in some 30 or so languages.
>> >>
>> >> First the number of languages really does not have to much to do with
>> >> it...this is yet another cross scripting vulnerability. It has to do
> with
>> >> the code not the languages that appear on the buttons.
>> >>
>> >
>> > You are making assumption that all locale differences are just
>> > in resource files for the display text. In fact though different
>> > OS have multilanguage addon which presents different binaries
>> > that need to be used also, making a pretty big test matrix when
>> > you take OS host x 32/64 x IE versions x locales
>>
>> Lame excuse. This is a critical security flaw, actually at least two of
>> them. This is also the biggest software company in the World. FIX THE
>> DAMN CODE SO MORE PEOPLE DO NOT GET INFECTED! Enough with the lame excuse
>> they are falling on deaf ears....
>>
>
> You do not need to yell at me. I am not they.
> I also have not expressed my opinion nor attempted to make excuses.
> I have however attempted to allow some understanding of the issues
> faced as compared to products where there is a single supported
> version, singular test matrix, etc..

Sorry, did not mean to yell at you. How ever, people are losing their data
every day. People are getting hacked everyday. Identity theft is the
fastest growing crime in the US. The point I am trying to make is that this
is very serious and I would like if Microsoft felt the same way about
their, lack of, progress in this matter. Simply allowing a month go by
before posting a patch is ridiculous.

You do not have to tell me about software development. My bachelors is in
Computer Science and I was a developer for sometime...which is why is said,
and still say, it is an excuse to say that the amount of languages are the
reason for a delayed fix...

>> >> > Do the numbers and figure that the delay is
>> >> > not in writing the patch and researching further implications, but
>> >> > in
>> > the
>> >> > regression testing for all the supported variations . . .
>> >>
>> >> Lame excuse. When it comes to critical patches get more resources if
> you
>> >> need it. GET IT DONE!
>> >>
>> >> > I am not so sure the Firefox community is ready to deal with that
>> >> > sort of legacy and multi-locale client base, but know they do not
>> >> > yet have to and so have freedom to appear more agile today.
>> >>
>> >> There are many browsers that support many, many languages. This is
>> >> irrelevant as it is the code that has some serious security flaws.
> Hence
>> >> the only language that matters here is C++....
>> >>
>> >> Why are you taking the article so damn personal. I posted it to let
>> >> people know that there are serious security holes that will not be
> fixed
>> >> for a while...Does everything have to be pro-microsoft/anti-microsoft?
>> >> Are
>> > things
>> >> really that black and white in this newsgroup?
>> >>
>> >> >> On another note, what the hell is wrong with the way text is
> displayed
>> > on
>> >> >> these forums? I mean this defacement/XSS protection is a piece of
>> > junk --
>> >> > the
>> >> >> messages are not displayed correctly in web browsers at least.
>> > Hopefully
>> >> >> that'll gets fixed soon.
>> >>
>> >> Are the text from my postings not showing up correctly?
>> >>
>> >> -Im
>>

andy smart
07-09-2005, 10:51 PM
Imhotep wrote:
> Mark Randall wrote:
>
>
>>I think the 40 day testing is simply this... unlike open source, if you
>>distribute a patch to a billion computers and then find out there is a
>>bug, you have 1 billion very unhappy customers.
>>
>
>
>
> ..and if you do not patch two critical security holes in a timely manner and
> a million customers get "infected" you get what?
>
> -Im
They are less likely to go to court.

My guess is that if you don't patch your security holes and people get
infected then you have the 'defence' of saying that you were working on
the patch and because the data loss was caused by the malware which
exploited your security weakness then it's not your fault - if you
release a patch which is somehow flawed and results in data loss then
you are liable for that data loss because it is your fault. Open source
need not care about this because the level of individual responsibilty
is low and there is no level of collective responsibility as there is no
"company".

The other point is that the only duty any company really has is to its
shareholders to make a profit; that's how capitalism works. As long as
the product sells and makes a profit the company is doing that for which
it exists.

Roger Abell
07-09-2005, 10:51 PM
"Imhotep" <NoSpam@nothanks.net> wrote in message
news:YEzie.22959$aB.5110@lakeread03...
> Roger Abell wrote:
>
> > "Imhotep" <NoSpam@nothanks.net> wrote in message
> > news:KSrie.42468$yV4.24133@okepread03...
> >> Roger Abell wrote:
> >>
> >> > "Imhotep" <NoSpam@nothanks.net> wrote in message
> >> > news:s8iie.73$Wo.26@fed1read03...
> >> >> Roger Abell wrote:
> >> >>
> >> >> > "Jack" </dev/null> wrote in message
> >> >> > news:E1E03C47-1018-48F5-8FE6-373CF1A9F377@microsoft.com...
> >> >> >> Both the vulnerabilities were reported/disclosed on the same day.
> >> > Firefox
> >> >> > has
> >> >> >> already been fixed (within a week of disclosure) so I don't see
why
> >> >> >> you
> >> >> > would
> >> >> >> set it as an example. The open source community does seem to get
> >> > patches
> >> >> > out
> >> >> >> a lot faster (and they have less money). Microsoft was and is
> >> >> >> always
> >> >> > slugish
> >> >> >> in regards to patching vulnerabilities (it's not alone but it's
the
> >> > most
> >> >> >> noticable) as well as making use of their own (*nix and mac
> >> >> >> ripoffs)
> >> >> > features
> >> >> >> (such as permissions on NTFS) to better protect the users from
> >> > executing
> >> >> >> things randomly (SP2 for Windows XP is a starting point but still
> > does
> >> >> >> not
> >> >> > do
> >> >> >> the job). Face it...
> >> >> >>
> >> >> >
> >> >> > Fair enough observation, but consider, MS has something like 4 or
5
> >> >> > supported versions of IE afloat out there, and each of these is
> >> >> > released in some 30 or so languages.
> >> >>
> >> >> First the number of languages really does not have to much to do
with
> >> >> it...this is yet another cross scripting vulnerability. It has to do
> > with
> >> >> the code not the languages that appear on the buttons.
> >> >>
> >> >
> >> > You are making assumption that all locale differences are just
> >> > in resource files for the display text. In fact though different
> >> > OS have multilanguage addon which presents different binaries
> >> > that need to be used also, making a pretty big test matrix when
> >> > you take OS host x 32/64 x IE versions x locales
> >>
> >> Lame excuse. This is a critical security flaw, actually at least two of
> >> them. This is also the biggest software company in the World. FIX THE
> >> DAMN CODE SO MORE PEOPLE DO NOT GET INFECTED! Enough with the lame
excuse
> >> they are falling on deaf ears....
> >>
> >
> > You do not need to yell at me. I am not they.
> > I also have not expressed my opinion nor attempted to make excuses.
> > I have however attempted to allow some understanding of the issues
> > faced as compared to products where there is a single supported
> > version, singular test matrix, etc..
>
> Sorry, did not mean to yell at you. How ever, people are losing their data
> every day. People are getting hacked everyday. Identity theft is the
> fastest growing crime in the US. The point I am trying to make is that
this
> is very serious and I would like if Microsoft felt the same way about
> their, lack of, progress in this matter. Simply allowing a month go by
> before posting a patch is ridiculous.
>
> You do not have to tell me about software development. My bachelors is in
> Computer Science and I was a developer for sometime...which is why is
said,
> and still say, it is an excuse to say that the amount of languages are the
> reason for a delayed fix...
>

Well, I have gone on record suggesting that they just abandon the IE brand
and bring out a fresh, clean code (that is not OS integrated too). My PhD
studies were in CompSci and as far as I can tell there is just too much code
that reaches back to IE 4 and before . . .

> >> >> > Do the numbers and figure that the delay is
> >> >> > not in writing the patch and researching further implications, but
> >> >> > in
> >> > the
> >> >> > regression testing for all the supported variations . . .
> >> >>
> >> >> Lame excuse. When it comes to critical patches get more resources if
> > you
> >> >> need it. GET IT DONE!
> >> >>
> >> >> > I am not so sure the Firefox community is ready to deal with that
> >> >> > sort of legacy and multi-locale client base, but know they do not
> >> >> > yet have to and so have freedom to appear more agile today.
> >> >>
> >> >> There are many browsers that support many, many languages. This is
> >> >> irrelevant as it is the code that has some serious security flaws.
> > Hence
> >> >> the only language that matters here is C++....
> >> >>
> >> >> Why are you taking the article so damn personal. I posted it to let
> >> >> people know that there are serious security holes that will not be
> > fixed
> >> >> for a while...Does everything have to be
pro-microsoft/anti-microsoft?
> >> >> Are
> >> > things
> >> >> really that black and white in this newsgroup?
> >> >>
> >> >> >> On another note, what the hell is wrong with the way text is
> > displayed
> >> > on
> >> >> >> these forums? I mean this defacement/XSS protection is a piece of
> >> > junk --
> >> >> > the
> >> >> >> messages are not displayed correctly in web browsers at least.
> >> > Hopefully
> >> >> >> that'll gets fixed soon.
> >> >>
> >> >> Are the text from my postings not showing up correctly?
> >> >>
> >> >> -Im
> >>
>

Karl Levinson, mvp
07-09-2005, 10:51 PM
"Imhotep" <NoSpam@nothanks.net> wrote in message
news:pbzie.22955$aB.19726@lakeread03...

> > "Jack" </dev/null> wrote in message
> > news:8F5D5F27-8307-408C-9CA1-9FEB1574B498@microsoft.com...
> >
> >> Unfortunately, Microsoft is wasting a lot of time and money for no good
> >> reason. Once again it is not alone but is most noticable for its size
and
> > its
> >> bragging. It seems as though the employees are pretending to work to
rip
> > the
> >> company off. The language support could of
> >> been fixed years ago with an i18n implementation, which is another sign
> >> of wasting time and money. It seems as though more time is spent on
> >> marketing and excuses than developing software and fixing bugs.

> year! Second, what does this have to do with the original post? The
> original post was to notify people that there are, at least, two new
> critical security flaws in IE and that they are not going to be fixed
soon.
> What does that have to do with Mozilla or anyone else???

The link you posted, and the message that you see "Jack" posted above, were
not just discussing Microsoft vulnerabilities, but were tiredly claiming the
superiority of open source software's security. If you only wanted to
discuss the MS vulnerability, you could have posted the link to the original
eEye article and not a blog entry on how MS security stinks in comparison.
I am responding directly to the content of the link you posted, and to the
post that Jack posted. I'm not the one bringing open source comparisons
into this discussion.

> You are trying to make this "a rehashing of an old argument" I am simply
> passing on a warning to people to protect themselves...

> Again, that FACT has nothing to do with any other browser...this post is
not
> about a comparison, it is about a warning that these flaws are not going
to
> be fixed soon.

One of the three sentences in the slashdot link you posted states "news
sources are reporting that in comparison with the Mozilla Foundation's
prompt fix for the recently reported Mozilla 1.0.3 vulnerabilities MS appear
to be leaving a large window for the possible malicious exploitation of
these flaws." I'm not allowed to respond to your post?

> I am passing on
> information so people can, hopefully, protect themselves. You are wasting
> everyone's time by trying to bait me into a "browser flame war". I could
> care less...
>
> Don't know what your motives are and frankly don't care...

Maybe your newsreader screwed up the chronological display of this thread
somehow, but none of what I posted above was directed at you, but at Jack.
Unless you're Jack. As I clearly said, I appreciate your posting the link
and have no problem with the share of information, at least some of which is
undoubtedly based in fact. I never saw you arguing here that "open source
is better than Microsoft," so I never made any assumptions one way or the
other about what your opinions are on this.

Imhotep
07-09-2005, 10:51 PM
Karl Levinson, mvp wrote:

>
> "Imhotep" <NoSpam@nothanks.net> wrote in message
> news:pbzie.22955$aB.19726@lakeread03...
>
>> > "Jack" </dev/null> wrote in message
>> > news:8F5D5F27-8307-408C-9CA1-9FEB1574B498@microsoft.com...
>> >
>> >> Unfortunately, Microsoft is wasting a lot of time and money for no
>> >> good reason. Once again it is not alone but is most noticable for its
>> >> size
> and
>> > its
>> >> bragging. It seems as though the employees are pretending to work to
> rip
>> > the
>> >> company off. The language support could of
>> >> been fixed years ago with an i18n implementation, which is another
>> >> sign of wasting time and money. It seems as though more time is spent
>> >> on marketing and excuses than developing software and fixing bugs.
>
>> year! Second, what does this have to do with the original post? The
>> original post was to notify people that there are, at least, two new
>> critical security flaws in IE and that they are not going to be fixed
> soon.
>> What does that have to do with Mozilla or anyone else???
>
> The link you posted, and the message that you see "Jack" posted above,
> were not just discussing Microsoft vulnerabilities, but were tiredly
> claiming the
> superiority of open source software's security. If you only wanted to
> discuss the MS vulnerability, you could have posted the link to the
> original eEye article and not a blog entry on how MS security stinks in
> comparison. I am responding directly to the content of the link you
> posted, and to the
> post that Jack posted. I'm not the one bringing open source comparisons
> into this discussion.

First, that was the article that I first found the information. Why should I
not post it? Information is just information. Why are you being so
sensitive? It seems that you are an anti-open source/gnu person. That would
seems to explain your comments.

>> You are trying to make this "a rehashing of an old argument" I am simply
>> passing on a warning to people to protect themselves...
>
>> Again, that FACT has nothing to do with any other browser...this post is
> not
>> about a comparison, it is about a warning that these flaws are not going
> to
>> be fixed soon.
>
> One of the three sentences in the slashdot link you posted states "news
> sources are reporting that in comparison with the Mozilla Foundation's
> prompt fix for the recently reported Mozilla 1.0.3 vulnerabilities MS
> appear to be leaving a large window for the possible malicious
> exploitation of
> these flaws." I'm not allowed to respond to your post?

Sure, please respond and comment. I welcome it. However, you seemed to take
their message personally. Like it some who insulted you. First, you have to
be honest with me and yourself. They are accurate in their statement.
Mozilla/firefox did put a high priority on their security holes by fixing
it very fast. I was shocked to learn that MS was not doing the same. So,
fair is fair: the article is honest and accurate.

>> I am passing on
>> information so people can, hopefully, protect themselves. You are wasting
>> everyone's time by trying to bait me into a "browser flame war". I could
>> care less...
>>
>> Don't know what your motives are and frankly don't care...
>
> Maybe your newsreader screwed up the chronological display of this thread
> somehow, but none of what I posted above was directed at you, but at Jack.
> Unless you're Jack. As I clearly said, I appreciate your posting the link
> and have no problem with the share of information, at least some of which
> is
> undoubtedly based in fact.

I believe all of it and it is fact...1) Mozilla, like it or not, did fix
their security issues very quickly 2) MS is not to...

What else from the article do you want to debate?

Honestly, not matter which "side" you are on, I do not see any lying in the
article if you do, please point it out.

> I never saw you arguing here that "open source
> is better than Microsoft," so I never made any assumptions one way or the
> other about what your opinions are on this.

I am pretty neutral, although I will say one thing. My degree is in Software
Engineering. I started out doing just that. However, after a couple of
years it really depressed me. Companies were pushing deadlines instead of
quality. "Slap the code together we will fix it in a patch later" was the
battle cry. After a while this got so bad I left business and now work in
IT Security. About a month ago, a friend got me into programming on "open
source" projects and I will tell you this honestly, they approach software
design like it was supposed to be. They discuss the solutions, they map out
and document the design. No code is pushed before it is ready. To my shock
and surprise Open source programming is much more "professional" then
"closed source" programming. Much more...again, like it or not, I am being
honest...I now love programming and software design again and actually miss
it...

-Im

Karl Levinson, mvp
07-09-2005, 10:51 PM
"Imhotep" <NoSpam@nothanks.net> wrote in message
news:wsJie.9815$cf5.3867@lakeread07...

> be honest with me and yourself. They are accurate in their statement.
> Mozilla/firefox did put a high priority on their security holes by fixing
> it very fast. I was shocked to learn that MS was not doing the same. So,
> fair is fair: the article is honest and accurate.

It is undeniably a fact that it typically takes Microsoft at least 30 to 45
days to fix most exploits, and this has been the case for a long time.
[While this doesn't sound good, note that Oracle can take 45 to 90 days to
release a quarterly security patch.]

What is up for debate is why this is, what this indicates, whether it's
Microsoft's fault and whether they have the power to do anything about it.
Where anyone chooses to stand on these questions is more opinion than fact.

Imhotep
07-09-2005, 10:51 PM
Karl Levinson, mvp wrote:

>
>
> "Imhotep" <NoSpam@nothanks.net> wrote in message
> news:wsJie.9815$cf5.3867@lakeread07...
>
>> be honest with me and yourself. They are accurate in their statement.
>> Mozilla/firefox did put a high priority on their security holes by fixing
>> it very fast. I was shocked to learn that MS was not doing the same. So,
>> fair is fair: the article is honest and accurate.
>
> It is undeniably a fact that it typically takes Microsoft at least 30 to
> 45 days to fix most exploits, and this has been the case for a long time.
> [While this doesn't sound good, note that Oracle can take 45 to 90 days to
> release a quarterly security patch.]

I understand what you are trying to say. However, typical Oracle
implementations are on servers and are firewalled off the Intranet.
Microsoft has millions of home users, corporate users and government users.
Microsoft *has* a responsibility, especially when they push their so call
"Security Initiative" to do what they say and stop selling "snake oil".
There solutions are far too expensive to give anything less. Do you not
agree?

> What is up for debate is why this is, what this indicates, whether it's
> Microsoft's fault and whether they have the power to do anything about it.
> Where anyone chooses to stand on these questions is more opinion than
> fact
> .

Fair enough on the "what this indicates..." statement. I do believe they can
do something about it. Come on, they are the richest company in the World
and not only just got, yet another, black eye on security but also, got
beat by "open source" in the time to fix...humm how much are you spending
in your IT shop with them? How much am I spending? Are we getting our
dollars worth?

No wonder Europe is moving to Open Source as well as Brazil and most of
Asia. I do not know about you but, I feel like a fool for trusting and
using Microsoft products.



-Im

Jack
07-09-2005, 10:51 PM
"Karl Levinson, mvp" wrote:
> The problem with your reasoning is motive. If it's really as easy as you
> say, what possible motive could Microsoft possibly have for delaying
> releasing patches? Do you really think Microsoft, a company with tons of
> money to throw around and seems to feel free to do so, would intentionally
> choose not to hire a few more people?

I do not know what motive Microsoft has for delaying patches because I do no
manage any part of the company. That put aside, Microsoft does not need
anymore employees or a bunch of "certified" this and that. It actually needs
less incompetent developers and software architects. Knowing people who work
in the business I have a good idea of what goes in those buildings: weekly
presentations, creation of new terms that nobody needs or cares about and
people who pretend they can code (those who screw up code or write more code
than necessary to perform simple tasks).


> What the open source community has demonstrated, via the open source
> mangleme tool and all the bugs in Mozilla, is that code like Internet
> Explorer 6 has high code quality and is surprisingly resistant to things
> like malformed HTML such as the so-called IE IFRAME vulnerability from
> download.ject. The mangleme tool showed that every other open source
> browser did very poorly when subjected to the same malformed HTML. But the
> vulnerability you and the world remember is the one single IFRAME
> vulnerability that tool found. Why is that?
>
> I assume you've heard of the Mozilla bug from 2000 that still hasn't been
> fixed? That's four or five years to fix, and counting.

Good observation Karl. Except that before you go into what performs and how,
you should take a closer look at the Firefox architecture (which Microsoft
has ripped off for Windows Longhorn for that matter). Keep in mind Firefox
works on more than just Windows (the Mac version is a different matter) and
that is due to the fact that it runs on its own platform. Much of the browser
is built with XUL which uses Javascript meaning that overlooking the
possibilty of certain scripts will result in a vulnerability. At this point
it seems that most of the flaws, if not all, found in Firefox are exploited
with Javascript as opposed to stack or heap overflows. The bugs can be fixed
easily with a few adjustments to the underlying components: probably just the
script engine.

If you do not mind linking me to the 5 year old vulnerability you speak of,
please do so.


> If you're not a Microsoft customer, then none of this affects you and you
> shouldn't bother rehashing this old argument. If you are a Microsoft
> customer, then you can switch or get off the pot. I really have to wonder
> what you gain by coming here to a tech support forum to argue with people
> that don't work for Microsoft and have little say in how the company is run.

I am a very frustrated "Microsoft customer" when away from my machine. What
do I gain by coming and ranting here? If more people (including Microsoft
employees) read these posts and get informed there is a slim chance they will
push Microsoft to improve the quality of their software, which unfortunately
dominates the desktop market and unfrotunately will remain in place for a
while. Maybe Microsoft will start giving a rats ass about their customers,
stop boohooing about customer experiences and shoving their crap down
people's throats, and begin patching flaws and fixing bugs. At least remove
oxymorons from error messages where for instance a failure to copy files
returns "operation completed succesfully" (I took a screenshot if you wish to
see it).

Imhotep
07-09-2005, 10:51 PM
"Jack" </dev/null> wrote:

> "Karl Levinson, mvp" wrote:
>> The problem with your reasoning is motive. If it's really as easy as you
>> say, what possible motive could Microsoft possibly have for delaying
>> releasing patches? Do you really think Microsoft, a company with tons of
>> money to throw around and seems to feel free to do so, would
>> intentionally choose not to hire a few more people?
>
> I do not know what motive Microsoft has for delaying patches because I do
> no manage any part of the company. That put aside, Microsoft does not need
> anymore employees or a bunch of "certified" this and that. It actually
> needs less incompetent developers and software architects. Knowing people
> who work in the business I have a good idea of what goes in those
> buildings: weekly presentations, creation of new terms that nobody needs
> or cares about and people who pretend they can code (those who screw up
> code or write more code than necessary to perform simple tasks).
>
>
>> What the open source community has demonstrated, via the open source
>> mangleme tool and all the bugs in Mozilla, is that code like Internet
>> Explorer 6 has high code quality and is surprisingly resistant to things
>> like malformed HTML such as the so-called IE IFRAME vulnerability from
>> download.ject. The mangleme tool showed that every other open source
>> browser did very poorly when subjected to the same malformed HTML. But
>> the vulnerability you and the world remember is the one single IFRAME
>> vulnerability that tool found. Why is that?
>>
>> I assume you've heard of the Mozilla bug from 2000 that still hasn't been
>> fixed? That's four or five years to fix, and counting.
>
> Good observation Karl. Except that before you go into what performs and
> how, you should take a closer look at the Firefox architecture (which
> Microsoft has ripped off for Windows Longhorn for that matter). Keep in
> mind Firefox works on more than just Windows (the Mac version is a
> different matter) and that is due to the fact that it runs on its own
> platform. Much of the browser is built with XUL which uses Javascript
> meaning that overlooking the possibilty of certain scripts will result in
> a vulnerability. At this point it seems that most of the flaws, if not
> all, found in Firefox are exploited with Javascript as opposed to stack or
> heap overflows. The bugs can be fixed easily with a few adjustments to the
> underlying components: probably just the script engine.
>
> If you do not mind linking me to the 5 year old vulnerability you speak
> of, please do so.
>
>
>> If you're not a Microsoft customer, then none of this affects you and you
>> shouldn't bother rehashing this old argument. If you are a Microsoft
>> customer, then you can switch or get off the pot. I really have to
>> wonder what you gain by coming here to a tech support forum to argue with
>> people that don't work for Microsoft and have little say in how the
>> company is run.
>
> I am a very frustrated "Microsoft customer" when away from my machine.
> What do I gain by coming and ranting here? If more people (including
> Microsoft employees) read these posts and get informed there is a slim
> chance they will push Microsoft to improve the quality of their software,
> which unfortunately dominates the desktop market and unfrotunately will
> remain in place for a while. Maybe Microsoft will start giving a rats ass
> about their customers, stop boohooing about customer experiences and
> shoving their crap down people's throats, and begin patching flaws and
> fixing bugs. At least remove oxymorons from error messages where for
> instance a failure to copy files returns "operation completed succesfully"
> (I took a screenshot if you wish to see it).

Very nicely put...You will no doubt be labled "Anti Microsoft" for demanding
quality from them...I am not sure if that is funny or just plain sad.

- Im

Karl Levinson, mvp
07-09-2005, 10:52 PM
"Imhotep" <NoSpam@nothanks.net> wrote in message
news:NbTie.2183$jp.1413@fed1read03...

> > how, you should take a closer look at the Firefox architecture (which
> > Microsoft has ripped off for Windows Longhorn for that matter).

Have you looked at IE in Longhorn pre-betas? Is what you see in Longhorn
any different from the current IE yet? I suspect maybe you're thinking
confusing Longhorn with IE 7, which is still in the design stages and no one
has seen it yet. Numerous news articles have claimed that MS is ripping off
Firefox in adding tabbed browsing to IE7, so it would make as much sense to
argue that Firefox stole this from Microsoft.. That's a pretty ridiculous
claim. Microsoft has been programming tabbed apps since Windows 98. It's
hardly fair to compare Microsoft IE 6 from 1999 to brand new Firefox, but if
you wanted to do such a comparison, you would find that while Firefox has
the ability to fix some vulns faster, that does not mean they have secure
quality code. Not only are there numerous vulnerabilities in all browsers,
plus the mangleme tool that found a lack of basic stress testing and code
review done against Firefox, but there have also been articles written about
poor security planning in Firefox, such as during the setup program and the
self-update routine. IE in Windows XP Service Pack 2 and Windows Server
2003 have had a security history that is comparable to Firefox.

http://www.mozillazine.org/talkback.html?article=5808
http://blogs.msdn.com/ptorr/archive/2004/12/20/327511.aspx


> > If you do not mind linking me to the 5 year old vulnerability you speak
> > of, please do so.

I think this was it, only I think Mozilla.org is now blocking you from
seeing the original bug log that I had read months ago.

http://secunia.com/advisories/11978/
http://it.slashdot.org/article.pl?sid=05/04/04/1914243&tid=172&tid=128&tid=154&tid=218
https://bugzilla.mozilla.org/show_bug.cgi?id=256195
https://bugzilla.mozilla.org/show_bug.cgi?id=288688


> Very nicely put...You will no doubt be labled "Anti Microsoft" for
demanding
> quality from them...I am not sure if that is funny or just plain sad.

You're imagining things. I haven't seen anyone in this thread call anyone
else anti-Microsoft. I have no problem with me or anyone else slamming
Microsoft, just as long as it's for a legitimate reason and not paranoid
"Microsoft hates you" FUD. There are certainly some legitimate reasons.


IE vulnerabilities...