4 days is very, very far from reasonable.
The reality of security is that Windows is more secure than most other operating systems by a very wide margin. Literally. (You can't stop idiots from getting hacked no matter what platform, so that's really not a valid complaint about Windows.)
It is a valid complaint because it is a cultural complaint in my opinion.
-Paul Keith
We're going to have to agree to disagree on that one. I simply cannot see blaming Microsoft because some of its customers are idiots.
To me, it's like blaming Smith & Wesson because some idiot left a loaded gun out for his kid to shoot herself. (There was a recent thread on that one here.) We can't just blame the manufacturer because we're too lazy/stupid/irresponsible.
...
You could almost see it in this thread. Lots of complaints about the reporting but very little acknowledgement of the incomplete analysis and easily circumvented workaround when that is just as much a huge deal if not bigger from a security perspective and a bigger security issue considering who disclosed it.
As for this being Microsoft or anyone else -- that's largely irrelevant. The fact is that Google disclosed a security vulnerability without allowing the product vendor the opportunity to fix the problem. This is simply inexcusable and unforgivable. It doesn't matter whether it is Microsoft or anyone else. It is standard to give vendors a couple months to get the problem fixed and rolled out, much less disclose the vulnerability WITH EXPLOIT CODE!!!!!
Actually, I need to take something back. It isn't Google spitting in people's faces. That would be irresponsibly disclosing the vulnerability. They disclosed exploit code. No... Google pissed in everyone's face.
Again, that it was Microsoft only shows that Google is more interested in pissing in people's faces to spite its competition than in acting like a responsible, good corporate citizen.
I seriously doubt that this would happen for ACME Software Inc. because they're not any kind of threat or competition for Google.
Exactly. But look at your post now.
The details, the points, they're all correct. But instead of security, you're more interested in creating analogies of what Google's actions correlate with other rude actions.
At the end of the day, this is what the article has done and that's why I still side with Google on this. Not because it's Google but it's a long time coming and Microsoft's stance needs to be tested further by such acts.-Paul Keith
But the disclosure is the worse security issue. I'm not glossing over the security issue. I'm addressing the more serious security issue here. Granted, I'm also pointing out the political side of that as well. But you can't really separate the 2. They are linked. The disclosure has a motivation. They need to be in context.
There always will be bugs and exploits in software, but disclosing them in an irresponsible manner like that is the bigger issue. i.e. That there is a security issue (the Windows vulnerability) is the given. But that's not the central issue. New vulnerabilities are not security issues until they are public or actively being exploited. It's the responsibility of the security professional to disclose to the manufacturer, and not to put it out in the open. In that way, security vulnerabilities do not become issues, which is what we all want. We want the problem fixed before it becomes a problem. This guy made a non-problem into a problem. THAT is the problem here. Not the original Windows vulnerability that was not being exploited prior to his disclosure.
It's one thing to be a weapons manufacturer, but it's another thing to sell weapons to thugs, criminals, and terrorists. Which is effectively what happened here.
As for security, Microsoft (in the past few years) has done a very good job. Most companies do not patch security issues nearly as effectively as Microsoft. It's a business issue. Does the risk that an exploit poses justify the cost of patching the issue? For a lot of software authors, the answer is "no".
Having worked in the industry for some time, I've seen exploits before they've been made public and seen companies basically ignore them because the risk was small or the cost was high. It does no good to go out of business because of security costs.
The timing on this is really too much to ignore -- Google just got rid of Windows because of "security", and now this? Hogwash. It's a deliberate attempt to discredit Microsoft and Windows. There is no "lone gunman" here. That's rubbish. But that's the political side of irresponsible security.
Recent Posts
) the words. 
(Yes - I am extremely cynical on the topic of corporate agency.)