Microsoft Warns Against Outside Fixes

SEATTLE - When Microsoft Corp. researchers learned recently that a software flaw had been made public and could prompt Internet attacks, the company ordered a team to devote all its time to fixing the flaw and making the repair work with other products.


Microsoft argues that's the approach customers want and expect, but some security experts complained that the software company's traditional method, which could take days or weeks, wouldn't help people fast enough.

More... http://news.yahoo.com/s/ap/20060401/ap_on_hi_te/microsoft_s_security_snags;_ylt=AoOn8el.3obyms7owd2qyxQjtBAF;_ylu=X3oDMTA5aHJvMDdwBHNlYwN5bmNhdA--

This looks like serious problem! MSN need the better browser, don't you think, they would actually want to do something about all the problems with their browser? I swtch to FireFox!

If MS opened their code, we would be in a world of hurt. People are finding flaws as it is. If the code was open, every machine running Windows would be (more) susceptible to published attacks quicker than the developers could fix.

I'm sure there's a way it could be done- safely.

It's a silly notion anyway, since we all know nothing of the kind would ever happen...

As a bonus, Apple is a blue company with Al Gore on the board.

I have been think about buying new computer.

I recommend buying a refurb iBook or Powerbook G4.

but I've never had any problems with the 5 Apples I've owned and never had a virus. That's from OS 7.5 in the 90s to OS 9.1 and OS 10.3/10.4 recently. Nothing is perfect, Apples will break like all other computers, but if you gave me a free Windows PC I would never use it other than to make sure it works and then sell it on eBay.

for new computer, I'll UPS to you. One I have right now HP and it's about two years old. I will buy new apple this fall, when I can round up extra cash then. I'm saving my money up right now for my daughter's wedding, she is getting married this coming summer.

When I buy apple, maybe you can help me out with it, if I run into trouble.

BTW: Do you know, how to erase my personal information in the hard drive? I know how to erase lot of the stuff, but not everything. If you know and forward me the info before I send out the computer, that would be great!

and then suddenly a light switch will cut on, and you will understand.

Six of my friends have switched in the past year. Another one is making the switch next week. These people are not geeks or gamers, but just regular users who are fed up with Windows.

I think, you might be the only one who has apple picture, so this should be easy. ;-)

BTW: I am like your friend, just a regular computer user. Never got into heavy duty geek stuff.

Look up alfredo, leftofthedial, LeftCoast, NYCGirl, and some others I can't remember. They usually post on the Macintosh forum. Also, the Apple forums have several that will help you. Just go to....

http://discussions.info.apple.com/

Hood night for now... I'm going to bed. :hi:

or explicit video games on an Apple, provided you have kids, of course.

to switch to Mozilla et al. Makes me wonder how Gates got to be the world's wealthiest man.

This is interesting phrasing, coming very close to a direct admission of what many people already suspect (and have anecdotal evidence to support) but that sort of gets lost in the shuffle with what comes later.

"When Microsoft Corp. researchers learned recently that a software flaw had been made public and could prompt Internet attacks. . ."

Let's read that again, summarized. When MS researchers learned a flaw had been made public, they took action to start correcting the flaw. Does this, perhaps, suggest MS researchers knew the flaw existed but did nothing about it until it was made public? I think it does.

Shame on you! :spank: :sarcasm:

give them a time frame to fix it in, else it goes public. The companies hate this and consider it blackmail, but generally go along. Not everyone agrees with this approach and it is still has some controversy. With the exploit being identified, it can not be determined if this one went that route or was announced immediately.

It's not quite what I was getting at, though. Also, I'm not real clear on the point of your final comment. The latest flaw is a zero-day exploit, which basically means exploits are already implemented and being used. This is not the same as a situation involving a security expert finding a flaw and giving MS time to fix it before it becomes widely known. Zero-day exploits need to be reported immediately, regardless of the wishes of the programmers.

Anyway, what I was getting at ...

Some security people suggest MS is aware of a lot of the flaws in their various pieces of software even before the security experts are and are relying on the closed source to keep them secret, having no intention of touching them in anything approaching a timely manner unless someone else discovers it and it goes public. It's the same theory behind bean counters at other companies being aware of and not disclosing problems with their products until someone makes it an issue. Think car company that knows its cars will explode when hit a certain way in an accident. The cost of fixing it or admitting a problem is higher overall than the alternative of waiting, dealing with the PR fallout, and throwing out a fix at some later date, maybe. Some flaws in IE, for example, have been known by the public for a long time, and MS apparently has absolutely no intention of fixing them. They've already established no one can sue them successfully for these flaws, and as long as they have a strangelhold on the marketplace, the only real motivation to fix them at all comes from high volume/high income customers such as corporations that demand it and have the cash to make their demands seem appealing.

MS once relied on fairly regular releases of new versions of its OS and other software, which were sold rather than distributed as fixes, to make this manner of approaching quality control seem less obvious. "Oh, that was just a DOS 6.0 problem ... DOS 6.22 fixes it." "Oh, that was Windows 3.11 problem. Windows 95 changes everything," etc. But, after XP, MS essentially stopped delivering new product as it has delayed and delayed beyond reasonable expectations its newest release, meaning updates to correct these problems have not been forthcoming. Sure, they keep their regular patch cycle, which is absurdly controlled imo, but the patches generally address issues that have been problems for so long, the damage done to Average Consumer is already apparent in that they've either had their system compromised already or they've fallen into the game of beliving it's perfectly normal to have to pay other companies to protect them, without ever really fixing the problem itself, by using a partial, essentially temporary barrier between the flaw and those who would exploit it.

The issue has become one of time. Yes, with closed source, flaws are somewhat harder to detect, but given enough time, they will be detected and exploited by people who have nothing but destructive motives. The current version of IE has been around so long now that these more and more dangerous flaws, which have been present since the day it was released we should note, are being discovered by people who exploit the flaws rather than those who simply report them. What was discovered in this case was not a flaw in and of itself, but the fact that a flaw had already been discovered by others and was being used maliciously, a subtle but important distinction. If the source were open, which I realize won't happen, or if MS dedicated more of its resources to finding and fixing these flaws before they become problems, I and many others would cut them a lot more slack. But, they don't do that. They wait until a zero-day exploit is in the wild before assinging a team to correct it. Too little, too late.

I'm happier every day I have kicked the MS habit.

They did say, this flaw is being used by hackers right now! Microsoft made statement and said, the patch will be out ASAP. This is how I found about this problem, through local news.

Your correct in your assessment!

it was not clear if the hole had been reported to MS with a lead time prior to public disclosure or not. If its already in the wild, the "notify and give them a reasonable amount of time to fix it" protocol is not applicable.

"Does this, perhaps, suggest MS researchers knew the flaw existed but did nothing about it until it was made public? I think it does."

And to prove it, here is a lesson in futility.

Find a security flaw in an enterprise product.
Report it to the Company.
Get ignored.
Report it to the world at large.
Get an email from a product manager asking why you didn't tell him first.

and is being flooded with viruses etc, I will so laugh at all the Apple folk who kept trying to convince MS users to switch :)

Very few people make viruses for Apple simply because there are too few Apples in the market place. It would be like a terrorist group making a biological weapon that only works on 3.3% of the population - it just isn't worth it, because the lack of possible hosts gaurantees that it won't spread very far.

In fact, OSX viruses have already started appearing:

"A malicious script that spies on Apple Mac users was discovered over the weekend. The malware, which has been dubbed ‘Opener’ by Mac user-groups, disables Mac OS X’s built-in firewall, steals personal information and can destroy data."

or

"The Leap.A (aka Oompa-Loompa) infects applications in Mac OS X 10.4 (Tiger) running on PowerPC processors."

or

"OSX/Inqtana.A is a Java-based worm that exploits the directory traversal vulnerability in the Bluetooth file and object exchange services in Mac OS X 10.4 (Tiger)."

Face it - the more popular Apple computers become, the more viruses etc will appear, and the more damage they will cause. Apple has already started taking some flack over their response times to even these few viruses and associated vulnerabilites. What will they be like when they are getting a new virus every day, rather than every few months?

Oh, and you think Apple makes their OS more secure to begin with? Note that some of these exploits are not of flaws in the system, but are taking advantage of intentionally added "features" of OSX.

until I upgraded to 1.5, it was so buggy I switched back to IE.

I like it better than Firefox.