An open letter to the Security Community:

Ez egy elég komoly figyelmeztetõ:
Stop surfing, browsing and using any sort of Internet viewing software.

Seriously.  Right now there are several unpatched browser vulnerabilities and one “blast through the POPup blocker”.  The sky is definitely falling.

And why do we have these unpatched vulnerabilties that are being discussed in detail with no patches?  Because someone believes that it's more responsible to disclose it to the community of folks that then turn it into worms and what not than to responsibly disclose to the vendor and WAIT for an appropriate time for us to test and apply patches. 

  • Nicolas Waisman disclosed a paper on WINS vulnerability - patch is not yet released
  • eEye while stating on their web site that they practice “responsible disclosure“ have released technical details about an vulnerability the same day as the patch is released [approximately 12 hours last time] with usually enough technical details to begin the clock ticking.
  • http-equiv-at-excite.com has regularly disclosed before allowing for a patch.
  • Liu Die Yu, in reading his essay on the Microsoft Security Resource Center titled “Die slowly this time MSRC explained“, apparently believes that going after the MSRC with verbal abuse is the noble thing to do.

These are just a view of the examples of businesses and individuals that make us more IN-secure out here.

I can hear you now say if the Evil Empire  well if they'd only write better code“.  Wake up folks.  In the book Practical Cryptography the authors state that bridge builders have a finite threats to deal with.  Gravity, water, weather.  Software coders have an infinite amount of threats, including, but not limited to, all of us pesky end users still running as local administrator around here.  [And while those say that it's hard to run as user mode, I would argue that for the vast majority, that if it were not for the insecure requirements of the applications we are running, we COULD run as user mode most of the time as many of us have no need to install software on reoccuring basis]

I'm tired of my security, my patching, being influenced by someone not even willing to use their real name. 

I'm tired of security firms that don't sell products in the small business server space that say they holding Microsoft responsible when all they do is end up hurting my community.

Patches hurt me in my community in two ways.

Firstly they hurt me when I don't know about them.  When all I do is go to Windows update and that's not enough to fully protect me.  [Granted, these days on the Internet, most “gunk” traveling the wire is tuned for XP and 2k and thus even when USAToday stuck us out there with only a strong password to protect us and netbios ports exposed, we stayed up].

Secondly, they hurt me when I apply them and they do harm.  Granted, this is happening less often, but there are still the rare times that they cause issues.  Rare is one time too many for me.

I'm sure there are folks that will tell me I'm kidding myself that the exploit is only coded “after” the patch comes out, that is, it's already been out in the exploit community and the mere release of the patch alone gives the folks out there the opportunity to reverse engineer an exploit.

But folks you are missing something.  Down here, my community is not specifically targeted.  We're road kill.  We get hit with the worms, the blasters, slammers.  We don't get hit with the specifically targeted attacks.  Ryan and Kevin stuck us out there to get hit by a MACK truck.  They weren't specifically hacking us.

So to those folks that think you are being noble, that you are holding Microsoft responsible, that you are making sure they do secure coding?  You hurt me and my community more.

Remember that we don't buy your products.

We don't know who you are down here if you are seeking fame.

We just get affected by what you do.

Remember that.  You hurt us most.

For the record, Opera is patched, Firefox has a workaround, but I'll stick stick with IE because I can group policy it and I have not heard of these actually being exploited.... yet.

[Via A .Text Community]