Comments on: No fix yet for Word 2000 flaw

Microsoft releases patches for three security holes, but does not have a fix for a Word 2000 flaw being used in attacks.

[PolarUpgrade]

Is security possible with MS at all?

The Word 2000 patch delay raises the possibility that Microsoft does not consider security flaws affecting Office 2000 commercially important, possibly because of the firm's tiered approach to security that eventually phases out patches for apps that don't "earn" any longer for MS.

A further concern that we should all bear in mind is that if Office 2000 security issues matter at all, then security must matter for Office 97 as well. But does Office 97 get any patches at all now?

Security in a total context is also now compromised by the fact that Microsoft's commercial qualification to what the term "security" means has also dropped millions of Windows 98 PCs off the security fix radar.

The problem being that there are two halves to a secure Internet: The secure PCs one uses, and the unsecured PCs running older apps (in an efficient and wise economic use of the computer as an investment) that are going to be malware breeding grounds. Not because the software is obsolete or has run through its period of reasonable durability, but because the software maker prefers people to rebuy their sofware relatively frequently and so ends security support for older products.

Microsoft's current working implementation of desktop computer security thus covers only half of the threat base, and then only a portion of the one half it is dedicated to--because the MS approach leaves out older software that is still in use and still a threat.

The point being that the slow Word 2000 patch signifies the small tip of a much larger security iceberg. An iceberg caused entirely by MS's failure to realize that once an OS or a mass-used application suite is released and bought by millions primarily because of the economic efficiency these apps represent, it will need security fixes for many many years lest the economically valid and to-be-anticipated long-time use of such apps continue to put other users at risk AFTER the vendor pulls security fixes.

[Penguinisto]

To be fair...

Office apps don't directly connect to a network (or rather, [i]shouldn't[/i]. This gives them a bit of a lower priority than the apps that are a whole lot closer to the network stack (web browsers, MSSQL Server, stuff like that).

As for the rest, yeah, I agree - but MSFT is only king of the upgrade treadmill - many, many, many other companies out there force users to upgrade or die.

As for end-of-life issues, MSFT is going to become a victim of this eventually... I doubt that Vista will be bought in any real volume outside of OEM installs, and with decent hardware lasting longer (no more two-year upgrade cycles like we had in the late 90's - early 00's), MSFT has a bit of trouble ahead.

[wbenton]

Responsible Security Vendors

Most security concious companies patch critical flaws within 24 hours and non-critical flaws within 72 hours.

Microsoft however, continues to patch what they want, when they want, as they like... only proving their security irresponsibility!!!

Walt