Topic: Microsoft: The Vista Bullying Stops Here

[toasty0]

By Rick Whiting, Kevin McLaughlin, ChannelWeb
1:17 PM EDT Tue. Jul. 08, 2008 Windows Vista has been dragged through the mud by the bullies with which it competes, but those bullies are about to get hit with some long overdue retaliation.
That's the message from Brad Brooks, Corporate Vice President of Windows Consumer Products, who in a Tuesday keynote speech at Microsoft (NSDQ:MSFT)'s Worldwide Partner Conference in Houston attempted to swat away the negative mojo around the OS that has built up since its launch.

"There are a lot of myths around Windows Vista. We know the story is very different than what our competitors would like us to think," Brooks told the audience.

In a clear dig at Apple (NSDQ:AAPL) and it's 'I'm a PC, I'm a Mac' advertisements, Brooks suggested that Microsoft is preparing to retaliate against "noisy competitors" with a major new multi-million dollar advertising campaign, something that many channel partners have been hoping the software giant would do for months.

"You thought the sleeping giant was still sleeping. We've woken up and it's time to take this message forward. This is the true story of Vista," Brooks said.

Security is one of the areas in which Vista simply hasn't received its due, Brooks said.

Vista has actually had a cleaner security track record in its first year since launch than any other open source or commercial OS in history, Brooks said. Vista also had 20 percent fewer security problems than XP in 2007, and users running Vista are 60 percent less likely to get malware than those running XP SP2, he added.

"This is the real Vista story, and it's only getting better," said Brooks.

Acknowledging that Vista was a major break from earlier versions of Windows, Brooks said the market is beginning to realize that Microsoft made these changes with their best interests in mind. "Yes, the changes did cause a lot of pain. But customers are starting to see benefits," Brooks said.

Brooks noted that the same architectural changes that caused hardships in Vista are carrying over to Windows 7, which means that users make the transition will already be up to speed when Microsoft launches the next version of Windows sometime in late 2009 or early 2010.

"Make the investment [in Vista] now," Brooks exhorted channel partners. "Because when you make the investment in Windows Vista, you're not only making it in Vista, it's going to pay forward into the next generation of the operating system we call Windows 7."

Compatibility issues in Vista have also been exaggerated, and Microsoft's Windows Vista Compatibility Center, a database that shows the compatibility status of the most Windows popular devices and software products, is aimed at clearing the air on this front, according to Brooks.

Brooks also introduced the Vista Small Business Assurance program, under which Microsoft will offer free support and one-on-one coaching to small businesses.

"Windows Vista is a good product," Brooks told partners. "We need to make our voices heard."

http://www.crn.com/it-channel/208803174

[Clark Kent]

Yes, I can see how the company that holds 95% of the OS market would clearly be bullied by their competitors.  Personally, I think Vista isn't that bad, but the issues it has are largely because M$ screwed up on it.  I couldn't tell you how many IT people I know who would rather cut off their right arm rather than own Vista.  90% of the developer market doesn't want to touch it.  Businesses in general don't want to touch it.

Oh yes, i can totally see why people would want to invest in your crappy OS when the refined version is supposed to be out in 2009.   

[Pestalence_XC]

Actually, Microsoft has the Milestone 2 is due out Nov. 2008... Beta 1 release in May to July 2009.. Beta 2 in Sept. to Dec 2009 ... Retail version is set for release between April and Sept. 2010 depending on any last minute fixes to be done.

It is basically going to be Vista SP2 or SP3 .. Requires Vista SP 1 for upgrade.. XP won't be able to upgrade from what I have read.

Plus I don't think XP's hardware will operate on Windows 7 ..

Now Vista based systems or systems downgraded to XP will be able to run the OS.. but you have to have Vista SP 1 installed for an upgrade to Windows 7 to work.. Otherwise you will have to buy a Retail copy.

Upgrading Vista will be just like installing an IT version of a Service Pack.

[Dracho]

http://storefrontbacktalk.com/story/071108homa

Former Hannaford CIO: Avoid Microsoft And Change PCI's Encryption Rules
Written by Evan Schuman
July 11, 2008


Bill Homa, who just stepped down July 1 as the CIO for the 165-store Hannaford grocery chain, considers Microsoft's OS to be "so full of holes" and describes the fact that current PCI regs do not require end-to-end encryption as "astonishing."

But Homa's key point is that most retailers handle security backwards: Don't pour everything into protecting the front door. Assume they'll get through and have a plan to control them once they're inside.

One of the most frustrating IT security realities in retail today is the quintessential oxymoron: The more serious the CIO is about keeping data secure and the more sophisticated a defense is deployed, the more points of vulnerability emerge.

For example, an especially risk-averse IT exec might opt for multiple distant off-site backup locations, which only increases the number of potential places and subcontractors that could lose—or maliciously access—those data files. Or security specialists who install a wide range of cutting-edge and redundant security applications may find themselves at the mercy of any crash-causing glitch in any of them.

Consider PCI. The most dedicated PCI program is subject to the whims of a potentially careless assessor, who would also be a potential data leak. Then there's operating system changes for the sysadmin dedicated enough to immediately download and install every patch and security update, only to find that they open more holes. A less aggressive effort might have been spared that pain, as the community identifies the hole before it's installed.

This came to mind as I was chatting the other day with Bill Homa, who on July 1 could say for the first time in 12 years, "Today, I am not the CIO of Hannaford."

PCI-compliant Hannaford was, of course, the victim of an especially large data breach (data from 4.2 million payment cards grabbed).

Homa has become a fan of simplification in battling security. "We used a lot of Linux," Homa said. "None of the breach was anything related to Linux. All of it was Microsoft."

Asked whether he believed that Microsoft is less secure because it's truly less secure software or whether its overwhelming marketshare makes it a cyber thief target, Homa said it was the other way around. Microsoft's marketshare is not what attracts so many attackers. "Microsoft is so full of holes. That's why it's still a target," he said.

Would he counsel other CIOs to avoid Microsoft like the plague? "That's what I'd do. If you limit your exposure to Microsoft, you're going to be in a more secure environment," he said, adding that Microsoft's philosophy is decentralized, forcing IT to manage more points. That means more license fees for Microsoft and more potential security gotchas for the CIO. "Hence, you see my aversion to Microsoft."

As for the oft-repeated song that Hannaford was breached while PCI compliant indicates some sort of a PCI indictment, Homa said it comes down to two things: "Either the standards weren't strong enough or the assessor wasn't doing his job."

He finds particular fault in one aspect of the current PCI standard: "All debit- and credit-card transactions should be encrypted from end to end. That should be the minimum. It's astonishing that isn't the standard of PCI," which only requires encryption when transmitting over a public network such as IP.

The PCI rationale is that private point-to-point networks—such as the one Hannaford uses—are sufficiently secure that they don't need encryption. Homa disagrees. "Nowadays, encryption is not that expensive. And there's no such thing as a secure network," he said. "If you think your network is secure, you're delusional."

Homa has his own strong security strategy, which seems to be a minority view. It's futile, he said, to continually pour resources and time into securing the front door and windows of a house that is being relentlessly attacked by well-financed thieves with plenty of time. Instead of spending so much effort trying to keep the bad guys out, assume they'll get in.

"Most retailers have the philosophy of keeping people out of their network. It's impossible to keep people out of your network. There are bad people out there. How do I limit the damage they can do? If you don't do that, they'll have free reign to do whatever they want."

[toasty0]

Yes, I can see how the company that holds 95% of the OS market would clearly be bullied by their competitors.  Personally, I think Vista isn't that bad, but the issues it has are largely because M$ screwed up on it.  I couldn't tell you how many IT people I know who would rather cut off their right arm rather than own Vista.  90% of the developer market doesn't want to touch it.  Businesses in general don't want to touch it.

Oh yes, i can totally see why people would want to invest in your crappy OS when the refined version is supposed to be out in 2009.   

Beside the devlopers I personally know, the boards I lurk on (www.codeproject.com) express just the opposite sentiment than you assert.

IT peeps. Bah! By nature they hate change. Vista has nothing to little to do with their unwillingness to accept new technologies.

[toasty0]

http://storefrontbacktalk.com/story/071108homa

Former Hannaford CIO: Avoid Microsoft And Change PCI's Encryption Rules
Written by Evan Schuman
July 11, 2008


Bill Homa, who just stepped down July 1 as the CIO for the 165-store Hannaford grocery chain, considers Microsoft's OS to be "so full of holes" and describes the fact that current PCI regs do not require end-to-end encryption as "astonishing."

But Homa's key point is that most retailers handle security backwards: Don't pour everything into protecting the front door. Assume they'll get through and have a plan to control them once they're inside.

One of the most frustrating IT security realities in retail today is the quintessential oxymoron: The more serious the CIO is about keeping data secure and the more sophisticated a defense is deployed, the more points of vulnerability emerge.

For example, an especially risk-averse IT exec might opt for multiple distant off-site backup locations, which only increases the number of potential places and subcontractors that could lose—or maliciously access—those data files. Or security specialists who install a wide range of cutting-edge and redundant security applications may find themselves at the mercy of any crash-causing glitch in any of them.

Consider PCI. The most dedicated PCI program is subject to the whims of a potentially careless assessor, who would also be a potential data leak. Then there's operating system changes for the sysadmin dedicated enough to immediately download and install every patch and security update, only to find that they open more holes. A less aggressive effort might have been spared that pain, as the community identifies the hole before it's installed.

This came to mind as I was chatting the other day with Bill Homa, who on July 1 could say for the first time in 12 years, "Today, I am not the CIO of Hannaford."

PCI-compliant Hannaford was, of course, the victim of an especially large data breach (data from 4.2 million payment cards grabbed).

Homa has become a fan of simplification in battling security. "We used a lot of Linux," Homa said. "None of the breach was anything related to Linux. All of it was Microsoft."

Asked whether he believed that Microsoft is less secure because it's truly less secure software or whether its overwhelming marketshare makes it a cyber thief target, Homa said it was the other way around. Microsoft's marketshare is not what attracts so many attackers. "Microsoft is so full of holes. That's why it's still a target," he said.

Would he counsel other CIOs to avoid Microsoft like the plague? "That's what I'd do. If you limit your exposure to Microsoft, you're going to be in a more secure environment," he said, adding that Microsoft's philosophy is decentralized, forcing IT to manage more points. That means more license fees for Microsoft and more potential security gotchas for the CIO. "Hence, you see my aversion to Microsoft."

As for the oft-repeated song that Hannaford was breached while PCI compliant indicates some sort of a PCI indictment, Homa said it comes down to two things: "Either the standards weren't strong enough or the assessor wasn't doing his job."

He finds particular fault in one aspect of the current PCI standard: "All debit- and credit-card transactions should be encrypted from end to end. That should be the minimum. It's astonishing that isn't the standard of PCI," which only requires encryption when transmitting over a public network such as IP.

The PCI rationale is that private point-to-point networks—such as the one Hannaford uses—are sufficiently secure that they don't need encryption. Homa disagrees. "Nowadays, encryption is not that expensive. And there's no such thing as a secure network," he said. "If you think your network is secure, you're delusional."

Homa has his own strong security strategy, which seems to be a minority view. It's futile, he said, to continually pour resources and time into securing the front door and windows of a house that is being relentlessly attacked by well-financed thieves with plenty of time. Instead of spending so much effort trying to keep the bad guys out, assume they'll get in.

"Most retailers have the philosophy of keeping people out of their network. It's impossible to keep people out of your network. There are bad people out there. How do I limit the damage they can do? If you don't do that, they'll have free reign to do whatever they want."

And this has what to do what with Vista?

[Dash Jones]

By Rick Whiting, Kevin McLaughlin, ChannelWeb
1:17 PM EDT Tue. Jul. 08, 2008 Windows Vista has been dragged through the mud by the bullies with which it competes, but those bullies are about to get hit with some long overdue retaliation.
That's the message from Brad Brooks, Corporate Vice President of Windows Consumer Products, who in a Tuesday keynote speech at Microsoft (NSDQ:MSFT)'s Worldwide Partner Conference in Houston attempted to swat away the negative mojo around the OS that has built up since its launch.

"There are a lot of myths around Windows Vista. We know the story is very different than what our competitors would like us to think," Brooks told the audience.

In a clear dig at Apple (NSDQ:AAPL) and it's 'I'm a PC, I'm a Mac' advertisements, Brooks suggested that Microsoft is preparing to retaliate against "noisy competitors" with a major new multi-million dollar advertising campaign, something that many channel partners have been hoping the software giant would do for months.

"You thought the sleeping giant was still sleeping. We've woken up and it's time to take this message forward. This is the true story of Vista," Brooks said.

Security is one of the areas in which Vista simply hasn't received its due, Brooks said.

Vista has actually had a cleaner security track record in its first year since launch than any other open source or commercial OS in history, Brooks said. Vista also had 20 percent fewer security problems than XP in 2007, and users running Vista are 60 percent less likely to get malware than those running XP SP2, he added.

"This is the real Vista story, and it's only getting better," said Brooks.

Acknowledging that Vista was a major break from earlier versions of Windows, Brooks said the market is beginning to realize that Microsoft made these changes with their best interests in mind. "Yes, the changes did cause a lot of pain. But customers are starting to see benefits," Brooks said.

Brooks noted that the same architectural changes that caused hardships in Vista are carrying over to Windows 7, which means that users make the transition will already be up to speed when Microsoft launches the next version of Windows sometime in late 2009 or early 2010.

"Make the investment [in Vista] now," Brooks exhorted channel partners. "Because when you make the investment in Windows Vista, you're not only making it in Vista, it's going to pay forward into the next generation of the operating system we call Windows 7."

Compatibility issues in Vista have also been exaggerated, and Microsoft's Windows Vista Compatibility Center, a database that shows the compatibility status of the most Windows popular devices and software products, is aimed at clearing the air on this front, according to Brooks.

Brooks also introduced the Vista Small Business Assurance program, under which Microsoft will offer free support and one-on-one coaching to small businesses.

"Windows Vista is a good product," Brooks told partners. "We need to make our voices heard."

http://www.crn.com/it-channel/208803174

The problem is it isn't Apple that's the MS Bully...

It's EVERYONE (or a LOT) of those who got Vista that are giving it a bad rap.  In fact, I haven't heard that much from Apple, what I HAVE heard is from just about every business that I know that has changed over, including one that lauded Vista when it first came out, and told me how great it was and how easy it ran their programs.  Ironically, two weeks ago they informed me that Vista was making their electronic portion go caput, and they were having to switch out (at their own expense) to something other then Vista ASAP.

So what's MS going to do...start criticisizing their buyers for having a terrible time with Vista, because it's word of mouth that's making many avoid it as much as possible.  Yeah, that'll work great...

I got a better idea for MS...make a better OS and stop relying on what has previously been almost a monopoly to bully the people who may or may not buy your products.

[marstone]

Brooks noted that the same architectural changes that caused hardships in Vista are carrying over to Windows 7, which means that users make the transition will already be up to speed when Microsoft launches the next version of Windows sometime in late 2009 or early 2010.

This is what bothers me about MS, the next version of windows due out in 2009 or early 2010.  They are always looking to pad their pocketbook.  Finish fixing at least one operating system sometime.

Heck if they keep puting out new operating systems at this rate I can skip probably 2 or 3 versions before I buy my next PC.

[Nemesis]

Windows Vista has been dragged through the mud by the bullies with which it competes, but those bullies are about to get hit with some long overdue retaliation.

Just who is it that is big enough or powerful enough to bully the Microsoft 800lb Gorilla?  I can't think of any Microsoft competitors with the size and strength to directly bully them. 

"There are a lot of myths around Windows Vista. We know the story is very different than what our competitors would like us to think," Brooks told the audience.

In a clear dig at Apple (NSDQ:AAPL) and it's 'I'm a PC, I'm a Mac' advertisements, Brooks suggested that Microsoft is preparing to retaliate against "noisy competitors" with a major new multi-million dollar advertising campaign, something that many channel partners have been hoping the software giant would do for months.

If Apple or anyone is spreading lies or misinformation why hasn't Microsoft long since brought in the lawyers?  If they can demonstrate who is spreading lies and what the lies are then I for one will be cheering them on in winning the lawsuits.

Microsoft should also look at their own past and make sure they don't continue such actions of their own.  Some of us remember the misrepresentations in the Microsoft "Get the Facts campaign" and how they told Novells network customers that they should switch to Microsoft as they didn't know how much longer Novell would be in the networking business (they lost a lawsuit over that one).

With Microsofts history of bullying, "Knife the baby", "Cut off their air supply", "whack Dell" and so on and so forth maybe Microsoft is due for some bullying though I still don't see who has the power to do it and wouldn't approve of it in any case.  Who has that power?  Who is "knifing" Microsofts "baby"?  Who is "cutting off their air supply"?  Who is "whacking" them?  Who and how is what I would like to know and I don't see any clear examples in the article.

[marstone]

Smoke and mirrors my man, smoke and mirrors.  It's that vast right wing conspiracy going after MS now, (since MS Clinton is on the sidelines they need something to do).

[toasty0]

Brooks noted that the same architectural changes that caused hardships in Vista are carrying over to Windows 7, which means that users make the transition will already be up to speed when Microsoft launches the next version of Windows sometime in late 2009 or early 2010.

This is what bothers me about MS, the next version of windows due out in 2009 or early 2010.  They are always looking to pad their pocketbook.  Finish fixing at least one operating system sometime.

Heck if they keep puting out new operating systems at this rate I can skip probably 2 or 3 versions before I buy my next PC.

You could, and when you think about it, isn't that cool?

[Nemesis]

Smoke and mirrors my man, smoke and mirrors.  It's that vast right wing conspiracy going after MS now, (since MS Clinton is on the sidelines they need something to do).

Lets try and keep the political stuff in Hot and Spicy please.   
  Right wing / Left wing doesn't matter. keep it in the appropriate forum 

[Nemesis]

So Bill Gates says to the Devil, "You mean I have to spend Eternity down here using Vista? Can't we just cut to the fire and brimstone?

To which the Devil replies, "Actually you don't have to spend Eternity down here. All you have to do is install Linux on your Vista machine and you can go to Heaven."

"No sweat, I'll be out of here in 20 minutes."

"But there's a catch," says the Devil with a grin.

"Catch? What catch?"

"You have to download and burn your own Linux install CD using only the tools that come with Vista".

[Dracho]

And this has what to do what with Vista?

It's an excellent illustration of what can happen to you when you literally bet the life of your company on Microsoft's ability to deliver a secure product.  Of all the merits of Visa, Microsoft focusing on security is just plain dumb, to the point of being laughable.  They can't even secure their server products.

[Pestalence_XC]

Well at the last OS hackers convention.. OS X for MAC and most Linux lines were wiped out the first day of a 3 day event.. leaving only Vista and Ubuntu .. Due to the makers of Adobe Flash Player and several other people helping, a flaw was discovered in Adobe Flash Player that allowed back door access into Vista (which Adobe fixed 2 days later) and Unbuntu won as being the most secure OS.. Vista was second only because many people (not the hacker by himself) broke in to it.. Ubuntu hacker recieved no help, but I am sure a Vunerability would have been found if he had the same amount of help that the Vista hacker had.


BTW :

The Top 5 Most Overlooked Open Source Vulnerabilities for 2007
For year-end 2007, we have compiled the Top 5 Most Overlooked Open Source Vulnerabilities encountered during 2007. We came up with this list after reviewing over 300 million lines of code and spending literally thousands of hours of analysis across a wide range of industries - including technology, financial services and government, among others.

So what do we mean by "Most Overlooked"? Well first, we mean that these are known vulnerabilities with a high-severity, Common Vulnerability and Exposure, (CVE) ranking found within open source projects that appear in code audits we perform. Secondly, and perhaps even more importantly, these vulnerabilities were found throughout 2007 in some of the most frequently used open source projects that customers did not realize they had.

It's sometimes dangerous to publish a list like this because it can so easily be taken out of context. Let me first stress that open source software is NOT any more vulnerable than commercial software - some folks even point to evidence that it's less vulnerable. The majority of open source projects provide a patched version for issues within hours of discovery.

What does put people at risk, however, is if you don't know that you're using open source components at all. When that's the case, as it so often is, then how can you retrieve the updated versions? When you don't have a system in place to to alert you to available patches or security issues, you put yourself at risk for introducing security vulnerabilities into your organization's code base

So here's our Top 5 Most Overlooked Open Source Vulnerabilities for 2007 in alphabetical order:

1. APACHE GERONIMO : CVE-2007-4548

PROJECT DESCRIPTION: A free software application server developed by the Apache Software Foundation

VULNERABILITY DESCRIPTION: The login method in LoginModule implementations in Apache Geronimo 2.0 does not throw FailedLoginException for failed logins, which allows remote attackers to bypass authentication requirements, deploy arbitrary modules, and gain administrative access by sending a blank username and password with the command line deployer in the deployment module.

PATCH INFORMATION: https://issues.apache.org/jira/secure/attachment/12363723/GERONIMO-3404.patch

2. JBOSS APPLICATION SERVER : CVE-2006-5750

PROJECT DESCRIPTION: JBoss Application Server (or JBoss AS) is a free software / open source Java EE-based application server.

VULNERABILITY DESCRIPTION: Directory traversal vulnerability in the DeploymentFileRepository class in JBoss Application Server (jbossas) 3.2.4 through 4.0.5 allows remote authenticated users to read or modify arbitrary files, and possibly execute arbitrary code, via unspecified vectors related to the console manager.

PATCH INFORMATION:http://jira.jboss.com/jira/browse/ASPATCH-126

3. LIBTIFF : CVE-2006-3464

PROJECT DESCRIPTION: (Library for reading and writing Tagged Image File Format) (abbreviated TIFF) files. The set also contains command line tools for processing TIFF's. It is distributed in source code and can be found (on the internet) as binary builds for all kinds of platforms. LibTiff is embedded multiple Linux distributions.

VULNERABILITY INFORMATION:
TIFF library (libtiff) before 3.8.2 allows context-dependent attackers to pass numeric range checks and possibly execute code, and trigger assert errors, via large offset values in a TIFF directory that lead to an integer overflow and other unspecified vectors involving "unchecked arithmetic operations".

PATCH INFORMATION: http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2.orig.tar.gz

4. NET-SNMP : CVE-2005-4837

PROJECT DESCRIPTION: Net-SNMP is a suite of software for using and deploying the SNMP protocol (v1, v2c and v3 and the AgentX subagent protocol).

VULNERABILITY INFORMATION: snmp_api.c in snmpd in Net-SNMP 5.2.x before 5.2.2, 5.1.x before 5.1.3, and 5.0.x before 5.0.10.2, when running in master agentx mode, allows remote attackers to cause a denial of service (crash) by causing a particular TCP disconnect, which triggers a free of an incorrect variable, a different vulnerability than CVE-2005-2177.

PATCH INFORMATION: http://downloads.sourceforge.net/net-snmp/net-snmp-5.4.1.zip?modtime=1185535864&big_mirror=1.
This issue has been addressed in the following (and later) versions: 5.1.3, 5.2.2, 5.3

5. ZLIB : CVE-2005-2096

PROJECT DESCRIPTION: Zlib is a software library used for data compression. zlib was written by Jean-loup Gailly and Mark Adler and is an abstraction of the DEFLATE compression algorithm used in their gzip file compression program.

VULNERABILITY INFORMATION: zlib 1.2 and later versions allows remote attackers to cause a denial of service (crash) via a crafted compressed stream with an incomplete code description of a length greater than 1, which leads to a buffer overflow, as demonstrated using a crafted PNG file.

PATCH INFORMATION: Upgrade to version 1.2.3. http://www.zlib.net/zlib-1.2.3.tar.gz

Vulnerabilities do NOT mean that you should avoid using these popular projects. To the contrary, the quick response and patch availability indicates that these are active projects which consider vulnerabilities a serious issue. Take these projects up on their hard work - and make sure you're using the latest stable version.

We're interested in what your versions of the Top Most Overlooked Open Source Vulnerabilities might be!

- Theresa Bui Friday



The list is partly a promotion of Palamida's Vulnerability Reporting Solution, which recently added 431 security alerts based on National Vulnerability Database listings. However, the list is also designed to draw attention to the lax practices surrounding the use of open source software in business, according to Theresa Bui, co-founder and vice president of marketing at Palamida.

To be precise, the vulnerabilities on the list are based on Palamida's audits of its clients. These audits vary from scans of a few hundred megabytes of code to hundreds of gigabytes in a company's complete software infrastructure. The list summarizes the results of scanning 3-5 million lines of code, representing a minimum of 30% of the software that Palamida scanned for clients, and, more often, at least 50%.

"We collect information on the most popularly used open source projects and versions," Bui says. But, although Palamida's database lists some 884,000 projects and versions, it is unlikely to be complete.



The top 10 vulnerabilities
Palamida provided Linux.com with a spreadsheet ( http://spreadsheets.google.com/pub?key=pzYJf2KSNyF17rP6mA-h0dA ) listing the software affected, what it does, the nature of the vulnerabilities, and the patches and updates that correct the problems. The applications affected include versions of Apache Geronimo and Apache Struts, JBoss Application Server, OpenSSH and Open SSL, and common libraries such as Libpng, LibTiff, and Zlib.

All these vulnerabilities have patches or later versions of the software, Bui stresses. The trouble is that many companies are not aware of the patches and updates -- nor, much of the time, even that they are using the software. Increasingly, the vulnerabilities are not in a company's infrastructure, or on users' desktops, but in the code that the companies are shipping.



For those that think that Linux has no security Vulnerabilities.. Here is Linux pride and Joy Ubuntu Vunerability

http://www.linuxsecurity.com/content/view/138787?rdf

How many fixes do you have to do? and recompile the OS or Kernel?



wow.. I'm glad Windows is here.. all I have to do is download an update.


I guess MS is not the only ones with security problems then, eh?

[Dracho]

But they're the ones using security for a marketing campaing.  Vista is a decent OS, but Microsoft isn't ready to run an ad campaign on security and be taken seriously.

[toasty0]

But they're the ones using security for a marketing campaing.  Vista is a decent OS, but Microsoft isn't ready to run an ad campaign on security and be taken seriously.

Which is so ironic when most of the problems that users complain about are related to the increased security features of Vista.

[toasty0]

And this has what to do what with Vista?

It's an excellent illustration of what can happen to you when you literally bet the life of your company on Microsoft's ability to deliver a secure product.  Of all the merits of Visa, Microsoft focusing on security is just plain dumb, to the point of being laughable.  They can't even secure their server products.

I guess this mean you consider the new sandboxing feature of WinServer08 and Vista worthless?

[Dracho]

And this has what to do what with Vista?

It's an excellent illustration of what can happen to you when you literally bet the life of your company on Microsoft's ability to deliver a secure product.  Of all the merits of Visa, Microsoft focusing on security is just plain dumb, to the point of being laughable.  They can't even secure their server products.

I guess this mean you consider the new sandboxing feature of WinServer08 and Vista worthless?

I don't care if it's an IBM mainframe, a sandbox is an infrasturcture partition, not an OS or logical one.  I realize it'll save smaller companies money, but from a PII perspective, I think it'll cause more problems than it will solve.

How do you think a sandbox would fit into a trusted computing model?  especially in an environment where trusted is defined at a circuit level?

Microsoft products don't rate above C1 on the Trusted Computing scale, so perhaps it's the definition of security that is at issue. 

[marstone]

Smoke and mirrors my man, smoke and mirrors.  It's that vast right wing conspiracy going after MS now, (since MS Clinton is on the sidelines they need something to do).

Lets try and keep the political stuff in Hot and Spicy please.   
  Right wing / Left wing doesn't matter. keep it in the appropriate forum 

OG, it was a slight joke.  Sorry.  Shall not ever do it again.