Microsoft’s Security Lunacy
Sun, Jun 13 2004 16:09
MS seems to have adopted a monthly/lunar cycle for security updates. One really has to ask why and at what cost ? Sure, there should or could be delays in shipping patches due to the need for rigorous testing, but which is the greater risk, leaving systems un-protected, or risking some glitches once a system is secured ?
I think most folk would take the glitches rather than having their system controlled/or infected from the outside world. After all, that is what we usually have to do anyway… lock things down, which means loss of functionality for the sake of security.
So why is it that Microsoft takes a month to ship critical security updates ? Is it some sick PR campaign to make people think there are less patches, less flaws by only updating your system once a month ? Gee, what a brilliant idea (NOT !!). < sarcasm > Maybe they can get the anti-virus companies to follow suit, and hold off shipping new virus definitions until next month < /sarcasm >
Meanwhile, we see more and more “day-zero” exploits. That is, as MS becomes predictable, it also becomes predictable to release an exploit to the public domain the same day as MS releases it patches, thus giving 30 days free exploitation.
This latest one is also a very nasty one. I was amazed at how it got through so many systems. Some anti-virus programs will stop some of the vectors being used, but that is actually catching older known un-patched exploits! (Why didn’t they wait till next month ?)
Anyway, if you are using windows, turn off active scripting, and wait till MS comes into its next lunar cycle, and just be thankful they don’t actually have security products. Imagine if they sold bullet-proof vests.. Oh well, I s’pose there they’d just deliver it to your grave.