|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [ISN] Security a work in progress for Microsoft
From: InfoSec News (isn
c4i.org)
Date: Mon Jan 19 2004 - 00:48:41 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Forwarded from: security curmudgeon <jerichoattrition.org>
: http://news.com.com/2100-7355-5141765.html
:
: By Robert Lemos
: Staff Writer, CNET News.com
: January 15, 2004
:
: Two years after Chairman Bill Gates called on Microsoft to redouble
: its efforts to secure its software, the company is beginning to make
: progress, according to customers--but much work remains.
: Six months after the release of the Windows 2000 operating system,
: Microsoft had warned of system flaws in 32 security advisories; 21
: vulnerabilities were gauged to be critical. Yet six months after
: Microsoft released Windows Server 2003, the successor to Windows 2000,
: after extensive code reviews, the number of flaws had shrunk to 14, with
: only 6 critical issues.
:
: "Customers are better off today than they were a year ago, and they will
: be even better off in the future," said Kevin Kean, a group manager at
: Microsoft's Security Response Center.
Windows security patches are now released once a month.
Microsoft has a long history of silenty fixing major security flaws in
patches. We update to protect against A, B and C that made news. That
same update protects us from X, Y and Z that were just as dangerous,
but escaped attention.
The numbers (32/21 vs 14/6) mean absolutely nothing.
: Microsoft does make patches available more quickly than in previous
: years, said Mitchell Rubin, president of Lynx Consulting Group in
Why do I think this quote came before Microsoft opted to move to a
once-a-month patch model?
: Rather than releasing advisories every two or three weeks, the company
: now publishes the notifications once a month. It has also turned up the
: pressure on the underground programmers that create worms and viruses by
: offering a bounty on the people or groups who released the Sobig.F virus
: and the MSBlast worm.
.. a bounty that has yielded 0 arrests? 0 virus writer captures? 0
payouts?
: Moreover, some of the bug finders that have been the bane of Microsoft's
: public image for years are starting to take a softer stance toward the
: company, encouraged by greater cooperation from the company's security
: groups.
:
: "They are acting more responsibly," said Thor Larholm, a senior security
: researcher for security firm PivX Solutions and a frequent finder of
: bugs in Microsoft's products. "The have lived up to the spirit of
: Trustworthy Computing, even if they still have problems."
http://www.pivx.com/clients.html
GMAC || BOEING || Microsoft || University of California
I like Mr. Larholm and really appreciate the work he and PivX have
done in the past, but how can anyone take these comments seriously
when Microsoft pays them?
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]