B
Bob
Recently I stopped asking as the answers weren't working out too
well
Recently I stopped asking as the answers weren't working out too
well
B
Bob
FYI, back on the other subject about "slow" releases of Unix updates:
http://www.cnn.com/2004/TECH/internet/04/14/microsoft.security.ap/index.html
RE: "Microsoft releases flurry of 'critical' patches"
"Maiffret said eEye found some of the flaws as long ago as September.
He criticized Redmond-based Microsoft for not taking quicker action.
Stephen Toulouse, Microsoft security program manager, said the company
would release a patch more quickly if it thought a flaw were being
exploited. But in general, he said, Microsoft has tried to release
patches just once a month to make it easier for customers to keep
track of the downloads."
?
=?iso-8859-1?Q?Crash_Gordon=AE?=
Well sometimes yah gotta put your foot down and insist that pink and green really don't work well...
| On Wed, 14 Apr 2004 08:43:12 -0700, Crash Gordon®
|
| >Yah know what I've done recently...I tell the client to pick some of their favorite colors.
|
|
| Recently I stopped asking as the answers weren't working out too
| well
|
|
| On Wed, 14 Apr 2004 08:43:12 -0700, Crash Gordon®
|
| >Yah know what I've done recently...I tell the client to pick some of their favorite colors.
|
|
| Recently I stopped asking as the answers weren't working out too
| well
|
|
J
Jim Cheshire
That's just simply a false statement. Microsoft's security team does not
release updates monthly. I'm not sure where they got their information, but
I happen to know first hand that this is not true.
--
Jim Cheshire
Jimco
http://www.jimcoaddins.com
================================
Author of Special Edition
Using Microsoft Office FrontPage 2003
5 Stars on Amazon and B&N
================================
The opinions expressed by me in the
newsgroups are my own opinions and
are in no way associated with my
employer or any other party. Jimco is
not associated in any way with any other
entity.
release updates monthly. I'm not sure where they got their information, but
I happen to know first hand that this is not true.
--
Jim Cheshire
Jimco
http://www.jimcoaddins.com
================================
Author of Special Edition
Using Microsoft Office FrontPage 2003
5 Stars on Amazon and B&N
================================
The opinions expressed by me in the
newsgroups are my own opinions and
are in no way associated with my
employer or any other party. Jimco is
not associated in any way with any other
entity.
M
MD Websunlimited
Oh then this statement:
Stephen Toulouse, Microsoft security program manager, said the company would release a patch more quickly if it thought a flaw were
being exploited. But in general, he said, Microsoft has tried to release patches just once a month to make it easier for customers
to keep track of the downloads
is:
1. A conspiracy by the MS haters
2. A complete lie just made up by the Associated Press.
3. This article does not exist at all
4. Stephen Toulouse is not a Microsoft security program manager, Jim Cheshire is.
4. All of the above.
;>)
Mike
Stephen Toulouse, Microsoft security program manager, said the company would release a patch more quickly if it thought a flaw were
being exploited. But in general, he said, Microsoft has tried to release patches just once a month to make it easier for customers
to keep track of the downloads
is:
1. A conspiracy by the MS haters
2. A complete lie just made up by the Associated Press.
3. This article does not exist at all
4. Stephen Toulouse is not a Microsoft security program manager, Jim Cheshire is.
4. All of the above.
;>)
Mike
W
Wayne Moses
thought Windows was an operating system. (Like, I'm using Windows 98.)Carole Hall said:
Carole, I am not sure you got a direct answer to your question about Windows
vs Linux/Unix *hosting*.
Yes they are all operating systems but don't confuse client machines (like
the one you are sitting in front of right now) and server machines (the one
that sent you the information to read, e.g. websites).
I have always used Windows in various flavours through the years, and have
also always used *nix hosting because (a) it was there first and (b) it is
cheaper and has all the features I need (so far).
My message below describes what you get with Windows hosting as opposed to
*nix hosting, although it does not say the reverse case.
Wayne
B
Bob
Read the Article Jim. I'm not bashing MS here, just showing that
security updates are not always issued immediately and MS admits that.
If you read the article, you'll see that "monthly" would actually
be an improvement in this case. The (well known, respected) firm that
found these problems says that some were reported last September.
Apparently MS sat on them since then since no one was "exploiting"
them. So much for MS's new commitment to security as a top
priority.
As to the MS security manager's legitimacy, here are a few articles
where he's quoted:
http://itmanagement.earthweb.com/secu/print.php/3064591
http://enterprisesecurity.symantec.com/content.cfm?articleID=2409&PID=16742388&EID=457
http://www.techupdate.com/techupdate/stories/main/0,14179,2914659,00_print.html
I think he's legit.
J
Jim Cheshire
My point is that the information is not accurate as of April 2004. As I
said, I know first hand that they are released more often than once a month.
In fact, anyone who has Windows Update configured to download updates knows
that. My information comes directly from the guy in charge of that group at
Microsoft. I attended a talk from him where the entire process was
explained in detail, and you can see some of this same information at
http://www.microsoft.com/security/.
--
Jim Cheshire
Jimco
http://www.jimcoaddins.com
================================
Author of Special Edition
Using Microsoft Office FrontPage 2003
5 Stars on Amazon and B&N
================================
The opinions expressed by me in the
newsgroups are my own opinions and
are in no way associated with my
employer or any other party. Jimco is
not associated in any way with any other
entity.
said, I know first hand that they are released more often than once a month.
In fact, anyone who has Windows Update configured to download updates knows
that. My information comes directly from the guy in charge of that group at
Microsoft. I attended a talk from him where the entire process was
explained in detail, and you can see some of this same information at
http://www.microsoft.com/security/.
--
Jim Cheshire
Jimco
http://www.jimcoaddins.com
================================
Author of Special Edition
Using Microsoft Office FrontPage 2003
5 Stars on Amazon and B&N
================================
The opinions expressed by me in the
newsgroups are my own opinions and
are in no way associated with my
employer or any other party. Jimco is
not associated in any way with any other
entity.
B
Bob
I respectfully disagree. This article is from CNN, date April 14,
2004:
http://www.cnn.com/2004/TECH/internet/04/14/microsoft.security.ap/index.html
I quote again: "Stephen Toulouse, Microsoft security program manager,
said the company would release a patch more quickly if it thought a
flaw were being exploited. But in general, he said, Microsoft has
tried to release patches just once a month to make it easier for
customers to keep track of the downloads."
I'll accept the suggestion that MS sometimes issues interim patches.
However, each month I receive the Security Bulletin from MS entitled
EX. "Microsoft Windows Security Bulletin Summary for February 2004".
In fact, I just received the April bulletin on APril 13th, the day
before the widely documented story.
Either way, the end result is the same. MS does *not* fix security
holes as soon as they find out about them. They fix them at their
convenience and subject to their own priority system. Even Mr.Toulouse
admits that.
D
David Baxter
The fact that MS releases monthly notices about security updates does
not of course mean that the updates are only available once a month...
not of course mean that the updates are only available once a month...
J
Jim Cheshire
You're just misreading the article. Notice that CNN is not quoting
Toulouse. They are recapping what they heard from him. What they say is
that Microsoft will release a patch sooner if a flaw might be exploited, but
they generally try to release updates monthly. What does that mean? That's
the key question.
There is a scale of security flaws at MS. When an update is released
depends upon where it falls on that scale. There are many technical details
that determine where a particular flaw sits on the scale. If the issue is
critical, Microsoft releases the patch immediately, not monthly.
As I said before, anyone who has Windows Update set to notify them of
updates knows that updates are released more often than monthly. In fact,
in April alone I had a security update on April 3 and another on April 14.
That's two so far this month which is already twice the number that you
assert take place.
--
Jim Cheshire
Jimco
http://www.jimcoaddins.com
================================
Author of Special Edition
Using Microsoft Office FrontPage 2003
5 Stars on Amazon and B&N
================================
The opinions expressed by me in the
newsgroups are my own opinions and
are in no way associated with my
employer or any other party. Jimco is
not associated in any way with any other
entity.
Toulouse. They are recapping what they heard from him. What they say is
that Microsoft will release a patch sooner if a flaw might be exploited, but
they generally try to release updates monthly. What does that mean? That's
the key question.
There is a scale of security flaws at MS. When an update is released
depends upon where it falls on that scale. There are many technical details
that determine where a particular flaw sits on the scale. If the issue is
critical, Microsoft releases the patch immediately, not monthly.
As I said before, anyone who has Windows Update set to notify them of
updates knows that updates are released more often than monthly. In fact,
in April alone I had a security update on April 3 and another on April 14.
That's two so far this month which is already twice the number that you
assert take place.
--
Jim Cheshire
Jimco
http://www.jimcoaddins.com
================================
Author of Special Edition
Using Microsoft Office FrontPage 2003
5 Stars on Amazon and B&N
================================
The opinions expressed by me in the
newsgroups are my own opinions and
are in no way associated with my
employer or any other party. Jimco is
not associated in any way with any other
entity.
B
Bob
As I noted. However, they make no attempt to publicize the releases.
Those who do auto updates will pick them up.
B
Bob
I don't think so. I agree that the CNN writing can be considered
ambiguous because they don't use an exact quote but it does not appear
that they are merely quoting the general philosophy of Toulouse.
I think the determination of "critical" is the key. In addition, this
is not the first case of MS taking their own darn time about
implementing a fix. See this article dated 2/11/2004 in which MS again
took six months to repair what both MS and eEye acknowledge was a
very serious flaw.
As I said before, anyone who has Windows Update set to notify them of
updates knows that updates are released more often than monthly. In fact,
in April alone I had a security update on April 3 and another on April 14.
That's two so far this month which is already twice the number that you
assert take place.
They apparently have a policy of doing monthly announcements. The only
exception I've seen to that policy is when a serious attack is in
process and they issue a major "newsworthy" alert. It is also evident
that your suggestion (if it was yours, I don't recall now) that *nix
world is any slower about releasing patches after bugs are discovered
is not correct; I've cited two recent examples of MS taking six to
nine months to repair known problems - in one case with what's been
called one of the most serious issues ever and in both with holes that
MS calls "critical". The suggestion that MS is any faster in patching
major holes is thus dis proven.