|
|
User Controls
|
New User
|
Login
|
Edit/View My Profile
|
|
|
|
ActiveMac
|
Articles
|
Forums
|
Links
|
News
|
News Search
|
Reviews
|
|
|
|
News Centers
|
Windows/Microsoft
|
DVD
|
ActiveHardware
|
Xbox
|
MaINTosh
|
News Search
|
|
|
|
ANet Chats
|
The Lobby
|
Special Events Room
|
Developer's Lounge
|
XBox Chat
|
|
|
|
FAQ's
|
Windows 98/98 SE
|
Windows 2000
|
Windows Me
|
Windows "Whistler" XP
|
Windows CE
|
Internet Explorer 6
|
Internet Explorer 5
|
Xbox
|
DirectX
|
DVD's
|
|
|
|
TopTechTips
|
Registry Tips
|
Windows 95/98
|
Windows 2000
|
Internet Explorer 4
|
Internet Explorer 5
|
Windows NT Tips
|
Program Tips
|
Easter Eggs
|
Hardware
|
DVD
|
|
|
|
Latest Reviews
|
Applications
|
Microsoft Windows XP Professional
|
Norton SystemWorks 2002
|
|
Hardware
|
Intel Personal Audio Player
3000
|
Microsoft Wireless IntelliMouse
Explorer
|
|
|
|
Site News/Info
|
About This Site
|
Affiliates
|
ANet Forums
|
Contact Us
|
Default Home Page
|
Link To Us
|
Links
|
Member Pages
|
Site Search
|
Awards
|
|
|
|
Credits
©1997/2004, Active Network. All
Rights Reserved.
Layout & Design by
Designer Dream. Content
written by the Active Network team. Please click
here for full terms of
use and restrictions or read our
Privacy Statement.
|
|
|
|
|
|
|
|
Time:
15:07 EST/20:07 GMT | News Source:
CNET |
Posted By: Robert Stein |
Thanks Tim. Microsoft has acknowledged that it knew about an Internet Explorer security hole--and failed to issue a fix--a full week before it accused a security company of placing IE users at risk by publicly disclosing details of the flaw.
A Microsoft representative retracted an earlier claim that the company first heard of the flaw on Nov. 8--the date of security company Online Solutions' public disclosure--and said Microsoft was actually notified by Online a week earlier, on Nov. 1.
|
|
#1 By
2332 (129.21.145.80)
at
11/19/2001 4:10:16 PM
|
Man, I hate when Microsoft makes me look silly for defending them.
While I still believe that their policy of keeping the security hole confidential until a patch can be issued is a good one, they shouldn't be using that as an excuse.
I'm still not quite sure why Online Solutions felt that a week was long enough to regression test a patch that would affect millions of configurations, but Microsoft shouldn't have claimed they acted irresponsibly. Never attribute to malice what you can attribute to ignorance.
For a security risk like this one, two weeks is the least you could give Microsoft to get a patch out there. Perhaps there was a bit of ego in this as well?
|
#2 By
135 (209.180.28.6)
at
11/19/2001 4:50:22 PM
|
Online Solutions wanted their name in lights. It's all about ego.
|
#3 By
135 (209.180.28.6)
at
11/19/2001 5:45:57 PM
|
Feeling a bit constipated today?
|
#4 By
1845 (207.173.73.201)
at
11/19/2001 6:19:40 PM
|
#3 Have you heard of a politician named Bill Clinton? Who's says liars are forced to resign?
|
#5 By
135 (209.180.28.6)
at
11/19/2001 6:20:38 PM
|
Absolutely #7. Microsoft admits it's wrong, and I stand 100% behind that admission!
BTW, my earier constipation remark was directed at #4, but it applies equally with #5. :)
|
#6 By
1845 (207.173.73.201)
at
11/19/2001 7:01:28 PM
|
Let's be civil folks. We are adults here, right?
|
#7 By
135 (208.50.201.48)
at
11/19/2001 8:05:59 PM
|
Insult? My dear friend, no insult was intended at all!
I was simply asking a question about your health and well being.
|
#8 By
1845 (207.173.73.201)
at
11/19/2001 9:33:37 PM
|
Bitterness, bitterness. Thanks for the consideration #12. (Please get a name, so I can stop referring to you by IP or postID.)
I'm quite happy today after learning how to log queries against the registery, so let me share my perhaps, little too optimisitic opinion about Microsoft vs the world with respect to security.
Can Microsoft secure data? Good question, I've seen hundreds of pirate copies of Windows and Office, but not one that offered me source code to either of them. Yeah, I'd say they can secure data when they want to.
Do they have flaws in their products? Yep! I run into them everyday, of course I'm a programmer so I can API bugs and as a user I get implementation bugs. Grr. Does Microsoft fix bugs in their products? Hmm. How many MGs of service packs, patches, and hotfixes have I downloaded this month alone? Yeah, they fix bugs.
Do they remember their customers? Yep! I can't count how many times they have submitted to popular opinion because the public (their customers didn't like a feature or a strategy) - SmartTags in IE, extention for new volume licensing agreements, extension of NT4 MCSE cert, ASP.NET API, VB.NET syntax, yes the listen to their customers.
Do they want to make money? YEP!! That is the purpose of business, you know.
I think this whole security thing is the result of Microsoft trying to cover itself because it had a bug. They had to verify a bug and fix it. They also didn't want it announced (to make them look bad OR hurt their customers) until a fix was available. Online Solutions wanted it announced (so nobody would get their glory AND to protect the public) as soon as possible. Well these two motivitations - self protection on Microsoft's side and on Online Solution's side - are conflicting.
Bottom line, is I doubt either of them REALLY cared about the public over their own interests. This is a non issue. We know software has bugs, we know Microsoft fixes bugs. We know they look after themselves. They aren't evil, they do just what every other business does.
|
#9 By
135 (208.50.201.48)
at
11/19/2001 11:01:54 PM
|
#14. I'm sorry, am I supposed to take you seriously? I think one of the problems these days is that people with so much bitterness, like yourself, take things too seriously.
Bob: Well said. Yes Microsoft software has some problems. It's important to point this out, but it's also important to move on with your life after they have been addressed. There is no grand conspiracy, there is no evil empire. There is simply a software company trying to sell a product. If their product is no good, nobody will buy it.
The chief reason why Microsoft has been so successful is they do respond to these problems, and they do respond to the customers... They also do it far far more than any of their competitors, which is why they are resented. That level of customer service, more than anything else, is what makes or breaks a company.
Anyway, this is a silly issue. Microsoft released their bulletin the same day after the other guys released their announcement. They did this because they wanted to be responsive to their customers, and not appear like they were hiding issues. However they didn't have a tested patch yet, and so they had to state that quite clearly in the bulletin. They also were probably a little bit miffed that this guy with an ego trip went ahead and applied irresponsible disclosure, so they stuck in a statement saying "Yep we have no patch and the reason is because this bozo released the information too early."
|
#10 By
1124 (165.170.128.66)
at
11/20/2001 8:10:07 AM
|
Sodablue, why even bother. It's like talking to people on drugs. They are not listening to you all they want is more drugs. MS hate is a drug.
|
#11 By
1124 (165.170.128.66)
at
11/20/2001 11:20:39 AM
|
I agree, but look at Soda's complete answers compared to the responses.
This post was edited by GhostRider on Tuesday, November 20, 2001 at 11:22.
|
#12 By
1845 (207.173.73.201)
at
11/20/2001 11:26:40 AM
|
I'm trying to straddle that fence, so I can be give useful consultation to my clients. How am I doing #18?
|
#13 By
2332 (129.21.145.80)
at
11/20/2001 12:33:58 PM
|
How ironic that people accuse anybody who supports Microsoft of being blind, when it is they who constantly ignore facts and valid points to stick with their anti-MS mantra.
Grow up people.
At any rate, it is obvious few of you have ever had to do any kind of regression testing - much less regression testing on the scale Microsoft is responsible for. Imagine if they released a patch that erased user partitions or something... *cough*... Apple.... *cough*. The same people bitching about this issue would be bitching about that one.
The fact is NOBODY here has any evidence that Microsoft was trying to somehow cover up this exploit, nor do you have evidence Microsoft wasn't working hard to fix the problem. You ignore many exploits, some of them serious, which are patched before anybody knew they were there. Is that not better? Is it not better to be able to truly fix a problem before anybody can take advantage of it?
Again, I point out that you should not attribute to malice what you can attribute to ignorance. Many of you assume that any actions by MS come as a command from their leaders, and that all are directed toward some massive plot or conspiracy. Obviously, yet again, those same people probably lack any kind of experience in a large company - especially a company like Microsoft - which has a very fragmented hierarchical structure. Bill Gates probably STILL doesn't know about this snafu, much less commanded it.
Again, I plead... grow up.
|
#14 By
135 (209.180.28.6)
at
11/20/2001 2:42:31 PM
|
#22. Maybe you should just stop responding. Your continued responses make you look even more and more ridiculous.
As RMD pointed out, patches do take some time. The developers have to verify they can reproduce the issue, they have to understand the full scope of the issue. They then have to work out a way of patching the issue.
Then after they think they have a patch, it has to go to QC who tests the installation to make sure it fixes the issue as well as not creating any new issues. Frequently this involves multiple system configurations, especially given this impacts many different browsers and OS combinations.
Two weeks is not at all an unreasonable time frame.
The point I made is that Online Solutions got ants in their pants and were afraid they'd be scooped by someone else. Their mission is to get these things published, and get publicity. So without waiting for a response from Microsoft, they went public.
When you look at it in 20/20 you can clearly see Online Solutions was wrong in what they did. They can't claim it was because Microsoft was being unresponsive, because quite clearly they were responsive.
The only apology Microsoft made was for their snippy remark in the online bulletin which blamed these guys for posting the exploit prior to a patch being available. That's it, they haven't been caught hiding vulnerabilities, they haven't lied about anything. They simply acted somewhat unprofessionally when responding to an unprofessional individual.
For a company the size of Microsoft with the importance of their market, they can't afford to let emotions be aired in public.
Anyway, it's clear that you still just don't "get it". I hope you have a wonderful career flipping burgers at McDonalds, because with your lack of critical thinking skills it's quite clear you are not cut out for a career in information technologies.
|
#15 By
1845 (207.173.73.201)
at
11/20/2001 3:47:14 PM
|
Those are quite valid points #23. As I see it until recently Sun has had great power in the UNIX and high end server market, Oracle in the database market, and AOL in the consumer Internet market. Microsoft, of course, is the market leader is desktop apps and OS's.
I think that diminishing Microsoft will increase the other three, which I don't see as a good thing. I think all four of them are capable of doing not good. I don't think any one of them is that much worse than the others. Perhaps we are screwed. In the mean time, however, I try to evaluate their products on the basis of who they are now and what they do. I try to see them objectively, so that regardless of what might happen in the future, things till go on in the present.
|
#16 By
135 (209.180.28.6)
at
11/20/2001 4:56:59 PM
|
#26. It's clear you haven't even taken the time to understand this issue, much less my comments.
BTW, did you check the story from solutions.fi? Oh, did you even realize this group was in Finland? Think that might cause some communications difficulties with Seattle?
http://www.solutions.fi/index.cgi/news_2001_11_09?lang=eng
It's pretty clear from their response that they were interested in publicity rather than working with Microsoft on the problem. Is this wrong? I don't know, they apparently don't see that as a problem.
It's also pretty clear that Microsoft was responding to the issue effectively. From reading the BUGTRAQ archives that the final patch they release actually fixed more than just this issue, but 3 related issues regarding cookies. As such it's not unreasonable to conclude that during Microsoft's investigation they realized the issue was broader than first thought.
I just find it absolutely astonishing how you throw reality to the wind and dream up these stupid conspiracy theories.
As for your constipation problem, I can only recommend ex-lax or a diet high in fibre.
This conversation is over until you relieve yourself.
|
#17 By
135 (208.50.201.48)
at
11/20/2001 7:55:01 PM
|
#28. No, MS has a policy that of giving credit only if you work with them and don't release your bulletin until a patch is ready. That's not a policy change at all.
Online can do whatever they want, but it's pretty silly of them to whine about not getting credit when they refused to cooperate with Microsoft in the best interests of the users.
We cannot know how long MS was going to take, and we cannot know that this company irresponsibly releasing information somehow made the release of a patch come sooner. It still took an additional week after the release of the info for a patch to be released.
You've provided no evidence that MS lies. But what you have done is shown that you are willing to lie about things in order to implicate MS in grand conspiracies. I don't see how that benefits the public, but apparently you do.
|
#18 By
135 (208.50.201.48)
at
11/20/2001 9:46:18 PM
|
I give up. This horse is long dead, and it's clear that you just want to bash Microsoft for no particular reason with no particular facts to support whatever fantasy you dream up.
|
|
|
|
|