Q5sys wrote:DMcCunney wrote:How many systems were "remotely BSOD'd"?
I'd be more annoyed about the flaw being re-introduced than by the moth between re-introduction and patch. 2K, XP, Vista, and Win7 are all built on NT code. You would think the fix in 2K would have persisted.
But MS is a big company, with associated slow reaction times. (Think of the dinosaur...) Someone reports something like this, and first they have to investigate to confirm it is indeed a bug, than they have to decide who should make the fix, and then, finally, whoever draws the short straw must figure out how to make the fix, which must go through QA and regression tests before being released. Given the bureaucratic structure of Microsoft, and the number of people who get to piss in any soup before it gets out the door, a month between reintroduction of flaw and patch to fix it sounds like relatively quick work.
How many... thats not something I have any idea about. (and if I did it probably wouldnt be legally advisable to state so on a forum thats being cached by google for all eternity) From what i've heard, MS was informed of it but never addressed it.
I wouldn't worry about the legalities. If you can state verifiable facts, it's not illegal.
I doubt there were many, as it would have made a fairly big splash, and the bad press would have forced MS's hand. Major corporate customers would have been all over them about it.
Finally it was publicly released and then MS decided they'd eventually fix it. Which to me is a typical response of MS. Know something is an issue but not fix it until it becomes public knowledge and they start getting flogged about it. IE, only fix an issue once its starts to become a PR issue.
Not really. See my comment above about how serious an issue it actually is when a vulnerability is revealed. MS releases critical patches on a regular basis, and they aren't all fixes to headline getting flaws.
The reason I dont think a month is reasonable time to fix the issue is that the fix was already known. And they fixed it the same way they did the first time it was an issue. It shouldnt take a month to fix a problem that A) you have known about and B) have already fixed in the past the same way.
Agreed that it shouldn't take long to
make the actual fix, especially since both the problem and the solution were known.
Deciding they indeed should
make the fix, and the time frame in which they need to do it is another matter.
I understand that massive companies have a ton of red tape to do anything. But for as long as MS has been around, and as many times as they've been round the issue of fixing flaws, they should have managed to find a way to rapidly address security flaws. The fact that they havent in all these years, to me... is a symptom of a larger issue. Whether that issue is apathy, bureaucracy, or just plain bad management; I dont know.
How rapidly they address issues in in part predicated on the severity of the issue (or at least, how severe
they think it is...) They have been known to issue off-cycle patches for really severe stuff.
But what I know of their build and release process reminds me a bit of Hollywood making motion pictures: it's a bit of a miracle anything gets out the door, and it's no surprise what
does get out is often disappointing.
______
Dennis