>>http://www.solutions.fi/index.cgi/news_2001_11_09?lang=eng
>>it scared me more than the bug itself.
>
>It presents one side of the situation, and then asks you to vote on which company is better. Nice. Then it gets better, they say:
>

Hello Mike.

I read BOTH sides of the story before my post. Any comment about the MSFT link?

>We however think that it is in the best interest of all Internet Explorer users to know that the browser they are using and trusting their business on contains a vulnerability and that their personal and possibly critical information might be compromised by third parties, and that they can actually prevent this from happening by disabling cookies from the browser.
>
>FWIW, I disagree totally. My mom doesn't care about the technical details of the bug. The only people who would care, are the losers that exploit the bugs with viruses and attacks. So in essence, the company that posted the details of the bug did abolutlely nothing, except giving virus writers something to do and putting MS in a tight spot as far as a patch goes. The icing on the cake: they want you to think that MS is irresponisble. These guys are brilliant.
>

Well, virus writers are not the only people who care. Why? Because the warning that people made drag a lot of attention from:
-ZDNET, CNET, the Register, and a long list of e-zines.
-UT people (To include it in its front page news)
-MSFT (Wich posted a workaround inmediately, and they could have done that since Nov 1st)
-Lots of IT pros, as any look at the talback sections of those articles can show.

I don't think they all are virus writers. :)


>If Online Solutions wanted to avoid a catastrophe by submitting the bug to MS, thats what they would have done.

AFAIK, they submitted the bug to MSFT first. Look:
"The person who discovered this vulnerability has chosen to handle it irresponsibly, and has deliberately made this issue public only a few days after reporting it to Microsoft. It is simply not possible to build, test and release a patch within this timeframe and still meet reasonable quality standards."
This is from MSFT.

>Instead, they assumed they knew how to fix the problem they found and how long it should take then refused to test the fix because they didn't have access to the source code like MS does.

I think it's a valid point. AFAICS, MSFT could have test the patch very easily.

>They completely ignored every political issue involved here, along with many technical issues, including the deployment of the fix. Finally, and inappropriately, they took matters in to their own hands by creating a scene around this security problem. A big no no.
>

Well, it forced a VERY quick response from MSFT. From that point of view, it's a big yes.

>Between the faulty assumptions, misinformation, grammar/spelling problems, and overall childish behavior, "voting" for the irresponsible company is actually pretty easy. Just my 2 cents.

It's easy for me too. There are lots of irresponsible people involved in a massive viral attack. I think we agree in two: Users not apliying service packs and Virus writers(well, they are not only irresponsible but criminal). But I include one you don't: Companies writing faulty software with bugs don't present one version ago and who don't take security risks seriously. And you include one I don't: The people who found the bug, tell the company, wait nine days and only then report it for other people to know.

Don't worry for virus writers. They can found those bugs for themselves. But they don't tell MSFT to fix it nor the users to be aware.

I apologize in advance for my grammar and spelling mistakes. English is not my native language.

Best regards