Posted on 11/12/2004 8:36:05 PM PST by Prime Choice
Windows XP users could be excused for feeling a little less safe this week.
Security tools maker Finjan Software warned on Wednesday that it found as many as 10 security flaws in the last update to Microsoft's flagship operating system, Windows XP Service Pack 2.
In a statement that contained few details, the U.K. company claimed that the vulnerabilities could enable attackers to remotely access a victim's files, remove security measures aimed at Internet threats and run programs without any notification to the user.
Windows XP SP2 "suffers because it is still basically the same operating system and has some major flaws which compromise end-user security," Shlomo Touboul, CEO of the firm, said in statement. "By using Finjan's proactive security solutions...users can enjoy a secure environment that protects them from such vulnerabilities."
The company did not wait for Microsoft to fix the issues, as many security companies do, and used the announcement to push its own wares as a way to be protected from the threats.
While security researchers have sometimes outed flaws in Microsoft products before the software giant has published a patch, security companies have generally waited to announce vulnerabilities until Microsoft had a way to protect its customers. Finjan's press release has reopened the debate over what should be considered the responsible disclosure of software flaws.
In the latest case, Microsoft believes that Finjan's flaw reports are, in many cases, overstated or altogether mistaken, said Debby Fry Wilson, director of marketing for Microsoft's security business and technology unit.
"We do feel strongly that what they are doing is premature, will cause market confusion and is an overstatement of the breadth and severity," she said. "We are very disappointed that they are engaged in a PR ploy rather than thinking about what is best for customers and the security of customers."
However, Finjan's CEO maintained that the company is merely warning people that Windows XP Service Pack 2 is not a digital fortress fully protected from Internet attacks. He labeled the press release education, not confabulation.
"People need to know that they have to be careful--and without education, people won't be careful," Touboul said during an interview with CNET News.com. "I wouldn't say we are scaring people. I don't believe in panic but in very calculated behavior."
While Touboul did not say whether the company gave Microsoft 30 days to fix the issue, as has become the industry norm, he maintained that Finjan gave the software company enough time, and more than enough information to take care of the issues.
"We don't want to argue with Microsoft about these things," he said. "We found the 19 vulnerabilities, and we showed that you could take remote control of a computer."
However, Microsoft's Wilson took issue with Finjan's move, contending that the software giant does not agree on how many of the flaws are real. Moreover, because the security company released the issues piecemeal, the software giant argues that it is not certain that Finjan has even named 10 vulnerabilities.
"They have been contacting us over time regarding various issues," Wilson said. "But there is no definitive communications between Microsoft and Finjan about 10 specific issues."
How and when security vulnerabilities should be disclosed has long been debated in the security community. Many researchers believe that companies and individuals should publicly announce vulnerabilities after giving the software maker enough time to fix them. Usually, programmers get a month to fix the problems.
The line between marketing products and disclosing security vulnerabilities should be well-defined for security companies, said Geoff Shively, chief scientist at security company PivX Solutions.
"Being a security company, you have to consider the impact on global Internet security before doing anything," he said. PivX has released software flaw advisories and plugged its products, but the company always gives Microsoft adequate time to fix the issues, he said. "Vulnerabilities are too dangerous and too powerful to be used as a marketing tool."
Software creators are frequently angered by researchers who do not allow them much time to fix problems. A year ago, game information site GameSpy sent a legal warning to an Italian security researcher who had found holes in that company's products. In June 2002, Linux software makers became peeved at security company Internet Security Systems for not giving them enough time to fix a problem before releasing an advisory about the issue.
(( ping ))
Ya know how long it takes to release a patch once you are told about a possible flaw? Between the debugging, coding, testing, etc... it's not exactly an overnight thing...
Beyond that, I've used Microsoft products since Visual Basic 1.0 came out (kickin' it old school) and I have never, not once, had a trojan, worm, virus, or had my computer taken over.
And the sad thing is, if it wasn't Microsoft, it would be some other company being targeted - eventualy ALL software, Operating Systems, and Hardware systems are going to be so locked-down that productivity will come to a screching halt. All because there are unethical destructive dishonest scumbags out there...
With the sheer wealth and resources that Microsoft has at its command, I don't buy this argument. They appear to have the will to secure nothing but their ridiculously restrictive licensing scheme.
I think Microsoft has been very responsible in reacting to security threats.
I agree that the real problem is the morons who attack the computers. My computer is now loaded down with firewalls, spyware protectors, antivirus protection, and all sorts of programs cluttering up resident memory. It's a real PITA.
Without having all this stuff on my computer that hackers make necessary, the thing would probably run twice as fast. And one man's vulnerability is another man's convenience. Most of these "vulnerabilities" are simply aspects of the operating system that permit networking, communicating, interchange of information, and other useful activities.
BTTT
MS made its choices. One of the results of those choices was poor security. It has to live with those choices. Now users have choices...
Well, maybe someday when and if you work there, you'll be surprised. I know what it takes to do it there...
But for now, keep yapping about something you seem to know nothing about. Makes no difference to me...
I'd sooner work as a bouncer in a French whorehouse. Much more respectable career choice.
But for now, keep yapping about something you seem to know nothing about. Makes no difference to me...
Likewise, FRiend. And just for your edification, I know a fair amount about Microsoft's lack of security. My job is cleaning up the messes that Microsoft's malware makes.
, what you are saying is you are someone who has a job created by Microsoft. Imagine that.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.