__/ [Jim Richardson] on Monday 02 January 2006 01:35 \__
> On Mon, 02 Jan 2006 00:18:42 +0000,
> B Gruff <bbgruff@xxxxxxxxxxx> wrote:
>> Looks pretty bleak to me...... is this latest one really really bad then?
>>
>> http://isc.sans.org/diary.php?rss&storyid=996
<quote>
I've written more than a few diaries, and I've often been silly or said
funny things, but now, I'm being as straightforward and honest as I can
possibly be: the Microsoft WMF vulnerability is bad. It is very, very bad.
</quote>
> <quote>
>
> The word from Redmond isn't encouraging. We've heard nothing to
> indicate that we're going to see anything from Microsoft before January
> 9th.
>
> The upshot is this: You cannot wait for the official MS patch, you
> cannot block this one at the border, and you cannot leave your systems
> unprotected.
>
> </quote>
I imagine that vendor liability does not fall under the EULA. I have seen
hosts staying up all night, heroically fighting a downtime in attempt to
satisfy the customer.
I suppose that in Redmond, pulling some employees back from a ski trip in
Aspen isn't worth it. What have they got to lose? Customers? "Where can the
customers go", they would say. When flaws are taken for granted, a monopoly
will be broken. If third-parties can patch this and even test the DLL, so
could the giant. In fact, there are many more necessary patches that are
either snubbed or procrastinated.
http://blogs.zdnet.com/Ou/index.php?p=135
"Almost 4 years after the launch of Trustworthy Computing, I found myself
wondering why am I staying up till 4:00 AM to deliver an emergency set of
instructions (Home and Enterprise) to my readers because Microsoft felt it
unnecessary to patch a flaw six months ago that was originally low risk but
mutated in to something extremely dangerous."
Do they need more manpower? Higher budget? What is it then...?
Roy
|
|
