Level Extreme platform
Subscription
Corporate profile
Products & Services
Support
Legal
Français
IE 5.5 & 6 script security bug
Message
From
12/11/2001 22:07:23
Mike Helland
MonadPad.com
Seattle, Washington, United States
 
 
To
12/11/2001 20:40:44
Dragan Nedeljkovich (Online)
Now officially retired
Zrenjanin, Serbia
General information
Forum:
Visual FoxPro
Category:
Other
Title:
Re: IE 5.5 & 6 script security bug
Miscellaneous
Thread ID:
00580249
Message ID:
00580705
Views:
19
Hey Dragan, Victor,

Thought I'd just post one response to both of your messages.

>>If Online Solutions wanted to avoid a catastrophe by submitting the bug to MS, thats what they would have done.
>They did.

Ah, but when they didn't get the results the wanted in the time frame that they had set for MS, they threatened to do something that MS doesn't like (and, something that I don't like). Then they did it. Sounds like they were more concerned with getting credit and recognition for their findings than avioding any real security concern. Not a bad thing in of itself, but then they claim that MS is irresponsible?

>They basically said it was easier of MS to do the testing, and that a private copy of the patch wouldn't do much good if it's not released to the public.

I think this is bogus. They are a security company, and they tested the product to find holes. But they are refusing to test the patch for the hole that they think is such a huge deal? Thats called being a part of the problem.

>You mean the " and we thought that one weeks notice (common in open source community) for them to build and release a patch should be adequate." is enough to prove ignorance?

Not only for them to make the claim, but repeatedly hold MS to the deadline that they created themselves. I'm just not sure where they get off telling the makers of software used by millions of people how long they have to get things done right. Meanwhile, they still refuse to help test the proposed fix.

>Imagine you discovered one of the manhole lids in your street was actually cracked and if anyone over 200lb stepped on it the crack would widen enough for it to be dangerous. You call the proper city agency, and they tell you they're working on it, and it takes a week or two. You just sit because you don't want to create a scene, behave irresponsibly, inappropriately or take matters into your own hands.

Lets try this analogy: You're standing by a bank safe thats full of money and you know that the safe should be locked, even though its wide open. Do you let the people in charge of the bank know about the problem, or do you yell out in the streets "The money wide open, someone fix this!"

>>Between the faulty assumptions, misinformation, grammar/spelling problems, and overall childish behavior...
>...Besides, we don't pick on anyone around here for grammar-and-spelling related reasons, because we'd probably be left with few highly literate people. This principle, however, doesn't count on the outside, right?...

Hey, I've got nothing against people that make spelling or grammar mistakes. I'd hate myself in that case. But when you try to make an arguement, it would be nice to run a spell and grammar check on it first. If this is a language problem, than I apoligize to Oy Online Solutions. But, what about the rest of it? Their baseless assumptions and "facts" that they try to pass of as true is ok with you?

>I read BOTH sides of the story before my post. Any comment about the MSFT link?

You only posted one link. There were a couple ms.com links in Online Solutions' article, but it was just to some technical stuff. Here's what I know about MS's stance on situations like the one we're discussing.
http://www.zdnet.com/zdnn/stories/news/0,4586,5098438,00.html?chkpt=zdnnp1tp01

>Well, virus writers are not the only people who care. Why? Because the warning that people made drag a lot of attention from:
>I don't think they all are virus writers. :)

But what good does it do anyone? There is more harm in posting the exploits than good. Now, if the patch was released, then, technical information would be a positive thing to those you listed. Until there's no patch, the harmfull code is exploited by the folks you listed, and even more dangerous.

>I think it's a valid point. AFAICS, MSFT could have test the patch very easily.

Its true that MS coudl test the patch. Do you think they didn't? Thats probably way Online Solutions woudl perfer you believed, but thats just ridiculous. Why the unwillingness to cooperate and help test on thier part? Sounds like they'd rather just give MS a hard time, and thats what I believe is irresponsible.

>Well, it forced a VERY quick response from MSFT. From that point of view, it's a big yes.

Oh yeah. More hastly thrown together bug fixes is always positive. This is going into another topic that addressed in the chatter forum a couple of weeks ago.

>There are lots of irresponsible people involved in a massive viral attack. ... But I include one you don't: Companies writing faulty software with bugs don't present one version ago and who don't take security risks seriously.

Oh no, I never said that. I think that some of the things they do (especially with their email clients) is absolutley crazy and shoulnd't go unnoticed, especially in the aftermath of these damaging viruses. But thats not what we're talking about here. We're talking about how MS handled a bug report from some company, AND how that company reacted to the response from MS (which, IMO, was by no means a negative response).
Previous
Next
Reply
Map
View

Click here to load this message in the networking platform