I'm subscribed to Bugtraq and one of the emails on the list today was this one:
Date: Fri, 25 Jun 2004 18:53:04 -0000 From: [protected] To: bugtraq_no@securityfocus_valid_email.com Subject: Microsoft and Security Where is Microsoft now "protecting their customers" as they love to bray? Should not someone in authority of this public company step forward and explain themselves at this time? All of sudden panic is being created across the WWW with "IIS Exploit Infecting Web Site Visitors With Malware", "Mysterious Attack Hits Web Servers", "Researchers warn of infectious Web sites" all stemming from all news accounts from an unpatched "problem" with Internet Explorer now two weeks old and counting, which in fact in reality stems from 10 months ago, that being the adodb.stream safe for scripting control with write capabilities. What exactly is being done about this? Nothing. What does multiple billions of dollars buy you today. Nothing. However for $20 million you can almost fly to the moon. Someone ought to step forward and explaini what exactly is happening at this public company. The great "protector of their customers". One might even suggest that their entire "security" mandate be re-examined. What exactly do they consider a vulnerability? Something that suits them or something that's cost effective to fix. So what, a few people lose their identities, have a few dollars extracted from their bank accounts, have their home pages reset, we'll fix it when it suits us as we have to be on budget this quarter. The Big Boss says $40 billion isn't enough this year. A vulnerability: http://www.microsoft.com/technet/archive/community/columns/securi ty/essays/vulnrbl.mspx "A security vulnerability is a flaw in a product that makes it infeasible ^Ö even when using the product properly^×to prevent an attacker from usurping privileges on the user's system, regulating its operation, compromising data on it, or assuming ungranted trust." what this gibberish? For the past 10 months the adobd.stream object is capable of writing files to the "all important customer's" computer. It has real world consequences. It rapes their computer. Does it fit into the gibberish custom definition. Plain and simple: "A security vulnerability is a flaw in a product that makes it infeasible". What kind of language is this. Reads like the financial department conjured it up. Disabling scripting won't solve it. Putting sites in one of the myriad of "zones' won't solve it. Internet Explorer can trivially be fooled into operating in the less than secure so- called "intranet zone" and it can be guided there remotely. What's happening here. Where is the Microsoft representative explaining all of this to the shareholders and "customers" they so dearly wish to protect. This is unacceptable. Someone must be held accountable. -- http://www.malware.com
You can read the original here. Now ain't this right on the head? Microsoft is neglecting to fix numerous bugs and now everybody is raving about a "new" IIS bug which really is a cumulation of various _very_ old bugs. And this is happening all the time. Is microsoft that arrogant? Saying "we protect our users" while essentially just protecting their profit.