Comments on: Microsoft to issue cursor flaw patch early

Software maker had planned to wait until April 10, but will now issue the patch Tuesday given there is a public exploit using the hole.

[K.P.C.]

Ahhh the speed . . .

The first story I read on this flaw last week said that MS has been
aware of it since January . . . They wait till it's publicly exploited to
release an "early" patch?

[Ted Miller]

I feel so secure...

being in Mamma Microsofts tender loving prtective arms.

[ITprosupport]

ahh the speed

The exploit may only work if ie7 is run with protected mode off, thats what the patch is for!

[erblemoof]

As a sysadmin who distributes Microsoft patches...

Please say this is an April Fool's joke? Once a month is enough, thank you very much!

[paul.saulnier]

Getting attacked is easier on sysadmins?

I support Microsoft releasing patches when they know about problems, not simply an arbitrary time of the month. As a sysadmin, it's up to you to protect the systems you are responsible for, and maybe you should have an automatic update rollout system in place.

[wolivere]

And?

Strangley I patched my Linux distro this morning for an exploit known since November...

Your point is?

[wolivere]

And?

Strangley I patched my Linux distro this morning for an exploit known since November...

Your point is?

[fcekuahd]

They should really publicize the workaround now:

Switch to Firefox and Thunderbird. They're not vulnerable.

[n3td3v]

n3td3v advisory on third party patches

Dear all,

no authority or company should recommend a third party patch to the
public, this is to prevent a trend of malicious files claiming to be
an official vendor patch from being distributed across the world via
the internet.

as useful as they are to private users and some corporate environments
and official security sources, there should be no doubt that no
recommendation to use the patch should be made within the public
domain directed at the public at large.

microsoft should each and every time ZERT, for example, release a
third party patch, they (microsoft) should straight away come out to
the public domain and condemn each instance of a patch to counter-act
each media or unofficial security source who tries to link to the
patch from news articles and blog reports.

additionally, ZERT shouldn't offer the patch to the public domain,
they should setup their own infrastructure and technologies, so only
corporate, private and _official_ security sources can get the
availability of the patch.

for ZERT, there could be a business model and profit to be made by
offering a proof of concept patch before an official patch to
corporate, private and official security sources, but _not_ to the
public at large.

additionally, no _official_ security source should ever recommend
these patches to the public at large, unless you're not bothered about
being counter productive on your mission critical.

if youre an official commerical security outlet you can, of course,
like i recommended to ZERT, create a business model around these third
party patches, to distribute these to corporate, private and official
security sources, although you shouldn't be in the business of going
against microsoft patch policy as far as _public_ outletting is
concerned.

keep the third party patches for private, corporate and security
sector and stop making them available to just any tom dick and harry,
the security threat is mind bloggling! at least from n3td3v's
prospectus of the situation.

its a question of ethics and the above are mine.

the cut and snip crowd will of course be out to analyse and dissect
everything thats been said, but f* off..... i'm right your wrong!!!


n3td3v
http://n3td3v.googlepages.com

[DemePoole]

Grow up...

You came off kind of strong, but your last comment...well

"the cut and snip crowd will of course be out to analyse and dissect
everything thats been said, but f* off..... i'm right your wrong!!!"

What's up with that? Grow up.

[Penguinisto]

*shrug* - depends on trust.

If the 3rd-party patch comes from a source trusted by myself or by someone else that I explicitly trust, no problem - I'll use it (moreso if I can parse the source code for the patch first).

The only real issue I see on 3rd-party patches is compatibility. You put it in, and the OS/app vendor is still not obligated to make sure that anything they do in the future is compatible with the 3rd party patch you put in. This means that in closed-source environments, things can possibly break.

/P

[DemePoole]

Ragging on Microsoft...

What is the point of ragging on MS? No company on this planet is perfect. ANYTHING created by human beings will be flawed in one way or another.

Also, how is it MS's fault that unscrupulous and ignorant individuals take advantage of technology? Do we blame the inventor of e-mail for SPAM? Heck, do we blame all the people who brought us Internet technology for all the mayhem and problems that people who are looking to make a quick buck cause?

Human beings have an insane instinct to see those who are "On Top" come tumbling down to the bottom of the barrel. If MS Windows wasn't installed on Over 90% of computers around the world, then it would be some other OS and people would still complain about that!

Bill Gates is FILTHY RICH because he focuses on the Big Picture. Business is not about pleasing all of the people all of the time. Business is about pleasing enough people to make a fortune and keeping those people pleased to continue making a fortune.

Apple is not as big as MS, but they still make money by pleasing enough people to keep them in business so they keep making money.

If MS closed shop today, who do you think would take over? We have two viable choices as far as I can see: Apple or Linux. Apple would most likely win, becuase Linux is too confusing for the average user. Then Apple would be in the same spot as MS.

All in all, people are just never satisfied and will always find something to complain about, no matter how trivial or insignificant that "something" may be.

I do not work for MS and I am not an advocate for MS. All I want from MS are products that will help me get what I need to get done faster and more efficient. End.

[lfagius]

Well said.

I couldn't agree with you more. Well said, on all points across the board. The business situation today demands that ONE standard OS, and a common set of standards for applications installed on that OS, exists, and only that will succeed.

People, especially tech heads, will always find something to ***** about. That goes double for anything PC related that's marketed to the mass market.

[Kostagh]

Correct!

Wonderful!
Excellent and right to the point!
Why do I not see Remington blamed for all the people using their shotguns to rob banks?
Or FORD for all the runaway cars?
Or city counsels for pickpocketing and pilfering in the streets?
People shall always be people!

[Penguinisto]

Yeah, but... pwned by a mouse cursor?

I mean... c'mon, you have to admit that it's pretty mickey mouse when a [i]mouse cursor[/i] can turn your machine into a zombie...

/P