Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

Re: Third parties patch IE hole!

  • Subject: Re: Third parties patch IE hole!
  • From: Sinister Midget <sinister@xxxxxxxxxxxxx>
  • Date: Wed, 29 Mar 2006 17:02:44 GMT
  • Newsgroups: comp.os.linux.advocacy
  • Organization: Road Runner High Speed Online http://www.rr.com
  • References: <JZKdnesmasDN47fZRVnyrQ@eclipse.net.uk> <pan.2006.03.29.12.52.15.50618@suse10.1oss.eu> <cefqf3-l2c.ln1@clark.harry.net> <e0e7j5$19vu$1@godfrey.mcc.ac.uk>
  • Reply-to: usb@xxxxxxxxxxxxxxxxxxxxx
  • User-agent: slrn/0.9.8.1pl1 (Debian)
  • Xref: news.mcc.ac.uk comp.os.linux.advocacy:1096041
On 2006-03-29, Roy Schestowitz <newsgroups@xxxxxxxxxxxxxxx> posted something concerning:
> __/ [ Sinister Midget ] on Wednesday 29 March 2006 14:44 \__
>
>> On 2006-03-29, William Poaster <wp@xxxxxxxxxxxxxx> posted something
>> concerning:
>>> On Wed, 29 Mar 2006 13:32:24 +0100, Gordon wrote:
>>>
>>>> Security firms doing MS's job for them?
>>>> 
>>>> 
>>>> http://news.bbc.co.uk/1/hi/technology/4856492.stm
>>>
>>>
>>> Get this!
>>>
>>> "Microsoft said it could not endorse the patches or recommend that users
>>> install them as they had not been through the software giant's testing and
>>> evaluation program."
>>>
>>> Sour grapes, or what.
>> 
>> I doubt it. They're probably worried that their own patch (I'm assuming
>> there will be one someday) won't reach the same high level of
>> competence as somebody who has never seen the source. They want to
>> "test and evaluate" (read "release in the next generation") what they
>> endorse, then "innovate" it from the original author.
>
> Don't forget another factor. Patching that one vulnerability using some slack
> layer of platser in haste leaves room for other similar-yet-necessary
> patches. It's a tradeoff between time of exposure and value of patch.
> Knowing Microsoft, they will be urged to release some protection (badly
> tested too, thus breakage to be entailed) ASAP and, the following week,
> aftershocks will ensue. Think of the WMF exploit, which had sort of variants
> or yet-undiscovered routes to being exploited.

History at the minimum hints that they'll break something. Whether it's
an obvious break or one that takes years/months to find will depend on
how long they test the next bandaid. A long test will make the breakage
more obscure. Once discovered, they'll break whatever they fixed to fix
whatever they broke if it takes a long time to find it.

> What is the solution? Release an operating system that is secure in the first
> place and never rely on 90th-minute patching. Learn from OSDL. No patches 2
> weeks before the release.

I don't believe they /can/ make a safe OS. I don't think they can
manage it due to the way they do business. I don't think they can make
themselves do what it takes. I don't think they have, or can attract,
the talent needed to pull it off now that they've screwed so many
things up.

Most of all, I don't think they _really_ want to do it.

They have too much invested in not only what's broken, but also in
keeping it broken. How else to force people/companies to buy new
versions and to allow them to expand into other areas? Like antivirus,
for example. Or Crashta la Vista.

You tie up customers information in patented, undocumented formats,
release buggy products that use those formats, then change how things
work. If they want their information, they buy the new versions while
things still work. You give customers crappy "software" that suffers
from buggy code, then turn around and start selling them more stuff
they shouldn't need to take some of the pressure off of their
constantly having to scna and update from third parties. Customers will
also need to keep buying new junk or their information stored under
patented, undocumented formats will be locked away from the them
forever (but not from the monopolists themselves, of course). You get
many, many people to use your crappy products, making sure they use
your patented, undocumented formats, and ensure that when others
realize the con, they have trouble breaking free because they have to
deal with businesses and individuals who are still using your bugware.

By the time people guess the right shell the pea is under, you'll
hopefully have several hundred billion in the bank (that they'll have
bankrolled) so you can target a new con. Or maybe you can already have
a new game bilking billions out of customers before they wise up and
stop playing the current crooked table.

-- 
Gaobot: Innovative Microsoft peer-to-peer software.

[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index