eeye.com · Domains · Slashdot Mirror

Statistics and lies by Anonymous Coward · 2005-09-16 10:26 · Score: 0 · on Is The Firefox Honeymoon Over?

Lets say we have two products both with a dozen (12) security holes. In six month, one releases patches for 6 of the 12 problems and the other releases patches for 11 of the 12 problems. Which is the more secure product, the one with 6 problems still left unaddressed or the one with 1 problem still left unaddressed?

Where are you getting the number 6 for exploits of IE? What is the true number of exploits available for each browser? How many of those 6 IE exploits include the ones that Microsoft has not announced and has left wide open. For all the upcoming advisories from eEye Digital Security, not a single one is currently for Firefox. So, I don't care which one had to be patched more in the past. I do care about which one should have been patched over 100 days ago and wasn't!

Statistics and lies by Anonymous Coward · 2005-09-16 10:26 · Score: 0 · on Is The Firefox Honeymoon Over?

Lets say we have two products both with a dozen (12) security holes. In six month, one releases patches for 6 of the 12 problems and the other releases patches for 11 of the 12 problems. Which is the more secure product, the one with 6 problems still left unaddressed or the one with 1 problem still left unaddressed?

Where are you getting the number 6 for exploits of IE? What is the true number of exploits available for each browser? How many of those 6 IE exploits include the ones that Microsoft has not announced and has left wide open. For all the upcoming advisories from eEye Digital Security, not a single one is currently for Firefox. So, I don't care which one had to be patched more in the past. I do care about which one should have been patched over 100 days ago and wasn't!

Lets compare this to Microsoft... by krappie · 2005-09-10 07:46 · Score: 1 · on Patch & Workaround for Firefox Flaw Available

Here is a list of every currently exploitable problem in Microsoft products that a SINGLE company has found.

http://www.eeye.com/html/research/upcoming/index.h tml

They have currently been waiting 165 days for a patch for remote code execution.

Is Microsoft SERIOUS about security? You judge. by Futurepower(R) · 2005-09-10 04:40 · Score: 2, Interesting · on Microsoft Skips Patch Tuesday

Microsoft: We're so great that there is nothing to do this month! Oh, don't worry about those High Severity Remote Code Execution vulnerabilities.

Macromedia and Real Networks have been competing with Microsoft, but Microsoft is considerably ahead in being insecure.

3rd party verification ... by khasim · 2005-09-07 08:05 · Score: 1 · on What is Responsible Disclosure for Security Flaws?

http://www.eeye.com/html/research/upcoming/index.h tml

Looks like certain software companies sit on the issues for a long time (and are still sitting on them).

In their defense, most of the KNOWN viruses/worms/trojans are written after the public release of the patch when the less capable people can see the exploitable code.

And that is the biggest problem. by khasim · 2005-08-27 08:03 · Score: 4, Informative · on Comparison of Java and .NET security

It isn't which is really more "vulnerable".

It is how you define your criteria as to what is "vulnerable" and what is "safe".

They would have done a LOT better in just sticking to the design of each instead of counting admitted vulnerabilities and patches.

Microsoft has been known to sit on vulnerabilities for a LONG time (http://www.eeye.com/html/research/upcoming/index. html

Security starts with the security model. Here is where you'll see patches to disable stuff in a flawed model. You cannot just count the patches here, but they are useful for evaluating the model itself.

Then that model has to be implemented in code. This is where you'll see bug fixes for code errors.

The last thing to look at is any application built by someone else on that platform.

And one last item to consider. Any platform is only as "secure" as the level beneath it. If .Net can be exploited by a vulnerability in Windows, then it can be exploited. This is particularly important because Microsoft builds both platforms.

Here is where they get it wrong on Java:

Both platforms need some way of bootstrapping to install the initial classes and loading mechanisms. Java 1.0 used a trusted file path that gave full trust to any class stored on the path. Code on the system CLASSPATH was fully trusted, so problems occurred when untrusted code could be installed on the CLASSPATH [15]. Java 2 treats code found on the CLASSPATH as any other code, but maintains backwards compatibility by using the bootclasspath to identify completely trusted code necessary to bootstrap the class loader.

So, if Windows is compromised and code inserted to Java to run, then Java is at fault ... but if Windows is compromised and code is inserted for .Net to run, then that shouldn't count because the compromise happened before .Net was running.

Either you count it as a flaw in both, or you don't count it for either.

Re:Yes, but... by Master+of+Transhuman · 2005-08-21 07:32 · Score: 2, Informative · on Opening Up for Open Source

Check http://eeye.com/html/research/upcoming/index.html site for a short list of overdue fixes.

And that's just the vulnerabilities THEY reported.

source code by Anonymous Coward · 2005-08-12 13:10 · Score: 1, Informative · on Exploits Circulating for Latest Windows Holes

im not a fan of eeye so here is the source code of the exploit for people to play with.

its not in the wild its in the public domain now http://seclists.org/lists/pen-test/2005/Aug/0183.h tml anyone who wants the binary for the scanner check below

http://www.eeye.com/html/Research/Tools/exe/Retina UMPNP.exe

Lip service to privacy by Vainglorious+Coward · 2005-08-12 04:22 · Score: 1 · on Exploits Circulating for Latest Windows Holes

In similar vein, note that you have to fill in your email twice . A classic example of why "double opt-in" is utterly meaningless.

Re:Is it really New? by Anonymous Coward · 2005-08-12 03:34 · Score: 0 · on Exploits Circulating for Latest Windows Holes

To be fair to M$, there isn't much they can do more than releasing a patch. Patches will always get quickly reverse engineered and exploits developed, but their Automatic update mechanism in XP SP2 is the best you can hope for amongst the uneducated masses.

What really annoys me is that they actually leave vulns unpatched for months. See eeye:
http://www.eeye.com/html/research/upcoming/index.h tml, there are unpatched IE holes more than 4 months old!

Re:Punishments for minors by Flower · 2005-07-05 09:49 · Score: 1 · on Creator of Sasser Worm Goes on Trial

How is this guy a "promising" programmer? If you look here I don't see a lot that we would be "ruining." Some quotes:

"Similar to the MSBlaster RPC DCOM worm that struck in August of last year, "Sasser" uses a public exploit for the LSA vulnerability in order to obtain a SYSTEM-level command shell on its victims."

"It does not appear that the worm has any function other than propagation (and crashing vulnerable machines as an unintentional side-effect)." emphasis mine

"This is a classic technique used by malware to run malicious executable when Windows starts."

Explain to me again why I have to preserve his career as a programmer? I won't even go into the ethics issue or the PR issue a company will have hiring the guy. How does writing the Sasser worm make this guy promising?

Who needs price comparison sites? by Anonymous Coward · 2005-07-04 02:16 · Score: 0, Funny · on Shopping Online

1. Send zillions of emails containing enticing links.
2. Watch as zillions of sheeple open said links with Internet Exploder.
3. Ensure your site is equipped with the IE exploit du jour.
4. Install keylogger, steal identity.
5. ??? [obligatory, but unnecessary - why not spend this time in Zen-like meditation contemplating the nature of suffering?]
6. Open anonymous delivery address using stolen identity.
7. Visit any shopping site via r00ted Windows box and stolen credit card number.
8. Profit!

More seriously, why not go and tell the Internet Exploder people to get their house in order. If enough people complain then maybe they'll actually release a patch. Remember, they haven't released a patch for these vulnerabilities for NINETY-SEVEN DAYS.

Re:Meanwhile in M$FT land by Anonymous Coward · 2005-07-04 00:33 · Score: -1, Offtopic · on Firefox Ported to Mac OS X for Intel

That's not the end of the story - check this out! - OK, they aren't publicly disclosed proof-of-concepts but those jokers at Microsoft haven't patched a critical vulnerability for NINETY-SEVEN days!! Talk about pathetic.

Re:Good news everybody! by Anonymous Coward · 2005-06-30 15:04 · Score: 1, Interesting · on The 12-minute Windows Heist

Despite being repeatedly asked about them, the Internet Exploder team refuse to answer a simple question: Why have they not fixed their critical security vulnerabilities for over 90 days?

Doesn't anyone actually read the article? by 93+Escort+Wagon · 2005-06-24 03:56 · Score: 2, Informative · on Major Browsers Have JS Pop-Up Flaw

I know, I know, I must be new here. But it was a very short article, and right near the bottom it says this (bold text is mine):

"Once these things are discovered, there's a rush as everyone tries to fix the problem," Christen Krogh, Opera's vice president of engineering said.

Krogh also pointed out that Secunia had rated the vulnerability as "less critical."

"This could fool some users into giving out some data to a site that wouldn't otherwise be able to get that information. But it doesn't seem like the most important issue," Krogh said.

So what does this tell us?

- The folks somehow blaming Opera for this announcement obviously didn't read past the first couple of paragraphs of this very short article.

- The folks who are saying "JavaScript is bad" obviously didn't read... okay I'm sure they just saw the word "JavaScript" and went off from there anyway. Hey, guys, enjoy your static black text on white background pages - and we'll see you in the unemployment line. Any ideas on how to manipulate the DOM without JavaScript?

- While I agree MS shouldn't blow this off, they're probably still busy patching some of those more critical problems.

- Once again, end user education is probably the answer.

regarding the author of Witty by nthomas · 2005-05-25 09:03 · Score: 5, Informative · on Witty Worm Kick-Start Methods Revealed

One of the better worm analysis papers I've read was "Reflections on Witty" by Nicholas Weaver and Dan Ellis (of MITRE), published in the June 2004 issue of ;login, the Usenix magazine.

Rather than a dissection of the worm itself, the authors give a detailed analysis of the author/attacker of Witty.

Some insights about the worm author that Weaver and Ellis proposed:

he was a fairly proficient programmer - there were no significant bugs in the code of the worm, he knew how to program x86 assembly and access the Windows API, he implemented a stack-overflow attack, and most importantly, he constructed a payload that was malicious to the host, but didn't significantly slow the worm's spread.
he was quite clever at what he did - randomly padded packet sizes, randomized the destinations and port numbers, and he seeded the worm (rather than start at a single location, the worm started out from 110 different victims) -- prior to this no one had significantly seeded their worms
he wrote compact code, Witty consists of 177 x86 instructions in 474 bytes (the rest is the buffer overflow and padding); with 177 instructions, he was able to construct routines to cleanup from the overflow attack, seed the RNG, propagate the worm, and execute the malicious payload (Witty slowly overwrites disks on the infected hosts until the machine crashes)
he worked quite fast; the stack overflow in the ISS BlackIce products was published on March 18, 2004. Witty was released on March 19, 2004, less than 48 hours after the security advisory was published by eEye; it is possible that he knew of the vulnerability when eEye notified ISS on March 8, 2004, but the paper goes into why this is unlikely
he probably tested the worm before he released it (cf. the lack of major bugs); this combined with the fact that he seeded on 110 hosts, means that he had access to a wide array of compromised machines -- it probably means he has access to the "hacker underground", to gain access to these machines in such a short time frame

The authors' conclusion is somewhat alarming, they reason that Witty represents a new generation of virus/worm authors: motivated, skilled and malicious individuals who are experts at what they do.

Thomas

Not just one! by vmp17 · 2005-05-15 02:52 · Score: 4, Informative · on Several Critical MSIE Flaws Uncovered

Although eEyes' reports look a bit confusing (look at the "Vulerability is over" image at the bottom), I think according to this page http://www.eeye.com/html/research/upcoming/index.h tml there are 3 security vulnerabilities affecting IE and Outlook that allow remote code execution.
The oldest one is 60 days old now and still not fixed.

Re:Uh oh! by Anonymous Coward · 2005-05-08 03:48 · Score: 1, Informative · on New Mozilla Firefox 1.0.3 Exploit

If by 'known' you mean public, then yes, you are right. However, there are no less than THREE unpatched remote exploits for IE which have been discovered. See:

http://www.eeye.com/html/research/upcoming/index.h tml

I do agree that the 'Firefox is more secure' meme was largely unfounded, but don't let MSFT off the hook so easily. Switch to Opera ;-)

Stolen exploit by Anonymous Coward · 2005-05-08 02:26 · Score: 5, Informative · on New Mozilla Firefox 1.0.3 Exploit

They were already working on patching this, but it was stolen before they could finish and leaked to bugtraq with LIVE material in the exploit (it's not a proof of concept, folks!) and no explanation or advisory.

Reminder: Bugzilla blocks /. referers. Copy URL and paste in new to view. (Beware Slashcode's extra spaces.)

https://bugzilla.mozilla.org/show_bug.cgi?id=29269 1 %lt; Original security bug (probably still blocked to outsiders to prevent someone stealing it before mitigation)

https://bugzilla.mozilla.org/show_bug.cgi?id=29330 2 %lt; Duplicate (reported after leak)

They are going to release a 1.0.4 shortly, I gather.

Still more timely than most of Microsoft's advisories... despite their earlier announcement. http://www.eeye.com/html/research/upcoming/index.h tml

Re:These studies are pointless. Both can be secure by ookaze · 2005-02-17 21:41 · Score: 1 · on Study Finds Windows More Secure Than Linux

Both Linux and Windows servers can be secured very easily. The XP desktop might still have issues, but Win2k3 server is solid and secure.

Yeah right, please go look there http://www.eeye.com/html/research/advisories/AD200 50208.html
and stop the BS about 2003 being secure.

And I strongly disagree with what you say about a Windows server being easily secured. That is just not true. Even experts have a hard time doing it.
And given my experience with Win2003 servers (installed and administered by experts, not by me) or even netcraft, I call BS on your claim of it being stable.

Once again, RTFA! by khasim · 2005-02-17 06:43 · Score: 5, Insightful · on Study Finds Windows More Secure Than Linux

A study comes out saying Windows is better than Linux? Question the results, Impugn the source and dig as deep as it takes to find some political or financial affiliation between them and Microsoft, no matter how assinine or inconsequential.

You left off the part where comments such as your's are mod'ed up even though they contain zero content.

From TFA:

They compared Windows Server 2003 and Red Hat Enterprise Server 3 running databases, scripting engines and Web servers (Microsoft's on one, the open source Apache on the other).

That sounds good. A real comparision of real services running on real servers.

But wait!

The setups were hypothetical, however. Both were in the most basic configuration, an approach that some in the audience suggested may tilt the results in favor of Windows, which comes with more features.

Ford said the idea was to represent what an average system administrator may do, as opposed to a "wizard" who could take extra steps to provide plenty of security on a Linux setup, for instance.

They aren't real setups.

And it gets worse.

Their criteria included the number of reported vulnerabilities and their severity, as well as the number of patches issued and days of risk -- the period from when a vulnerability is first reported to when a patch is issued.

Hmmmm, I wonder if they included the info from www.eeye.com http://www.eeye.com/html/research/advisories/AD200 50208.html 190 days is a long time.

On average, the Windows setup had just over 30 days of risk versus 71 days for the Red Hat setup, their study found.

That's amazing. Particularly with that single 190 day vulnerability I referenced. And those kinds of "studies" have been completely discredited.

So, a "study" that doesn't test any real world criteria is somehow valid?

Oh, it's not that the study is not valid, it's that pointing out the flaws in the study shows the groupthink on /.

And pointing out that perceived groupthink gets you mod'ed up as "insightful".

Allow me to enlighten you. by khasim · 2005-02-06 05:39 · Score: 2, Interesting · on Bill Gates Interview w/ Spiegel

Corrected URL http://blogs.msdn.com/michael_howard/archive/2004/ 10/15/242966.aspx

So why did I chose Secunia? Well, they don't issue advisories, they simply reflect the vendor advisories, and in some instances "rumblings in the marketplace." There is a downside to the site too, as some vendors don't patch so they may look better on Secunia. However, both Microsoft and Apache have good advisory records, so the data is useful.

Great. So he's basing his conclusion on a site that only says what the vendors officially say.

Meanwhile, on eeye http://www.eeye.com/html/research/upcoming/index.h tml
Do you think that's going to make it into Secunia's logs?

He's slanted his "analysis" by choosing a single site that slants towards the vendor's best interest.

Instead, do a vanilla install of the OS.
Then patch the OS.
List all the files.
Then install IIS.
List all the files including ones that have been upgraded.
Then install the first patch for IIS.
Look at what files change.
Second patch.
So on.

Then search to see what you can find about why those files changed.

That's the only way to find the FACTS.

Microsoft can release one patch and claim it is for some minor vulnerability, while wrapping up a dozen major fixes in it and you would never know.

Re:At least they are actively patching... by Zocalo · 2005-02-05 03:53 · Score: 1 · on 13 New Windows Security Vunerabilities

While I largely agree that Microsoft is making an effort, they are still well short of where they ideally need to be. For instance, take a look at this, which is a remote exploit in a default Windows 2000 install allowing an attacker to gain full control over the system. That has to rate as a "Critical" on Microsoft's scale, and yet we are now six months and counting since eEye notified Microsoft of the problem and still no patch.

Perhaps they need to make that idea they had of spending a month just squashing bugs an annual occurrance instead of the one off PR exercise that it appears to have been. In fact, why stop at Microsoft; there are plenty of vendors that could do with adopting this kind of practice and not all of them are closed source either.

His real message isn't the one you think it is. by khasim · 2005-01-29 07:11 · Score: 1 · on Microsoft Claims Linux Security a Myth

His article isn't about FACTS, it is about INSINUATIONS.

From TFA:

"The biggest challenge we need to face centres on the myth and reality. There are lots of myths out there as to what Linux can do. One myth we see is that Linux is more secure than Windows. Another is that there are no viruses for Linux," said McGrath.

Okay, he identifies one "myth". So, in the next statement, you would expect him to provide support for that statement with facts, right? But what do you get instead?

"Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility? It cannot, as it does not produce the Linux kernel. It produces one distribution of Linux.

You get QUESTIONS.

Suppose it went like this, instead.

"There's a myth that the world is not flat, that it is round." ...
"Well, what happens to the ships that sail over the horizon and NEVER COME BACK?"

"In Microsoft's world customers are confidant that we take responsibility. They know that they will get their upgrades and patches."

Actually, they don't know that. How many years has it been since ServicePack 6a for NT and NT's "end of life"?

Microsoft has a history of dropping support for all but the most extreme problems on their "legacy" systems.

And even on their current systems, Microsoft waits MONTHS AND MONTHS without publishing a patch:
http://www.eeye.com/html/research/upcoming/index.h tml

And the article continues like that. It isn't about illustrating the specifics of problems with Linux.....

It's political. It's about getting the IDEA that Linux's security is a myth into general acceptance.

The way to do that is to have your people and "journalists" repeat it endlessly. Stay on message.

Don't address the facts or real issues.

Keep repeating that there are "myths" and that these "myths" are not true and that the smarter people are starting to see through the "myths".

The credibility of Linux in the enterprise is beginning to suffer, according to McGrath, as companies complete trials and find the platform wanting.

Smart people KNOW what the myths are.

Don't you want to be smart, too?

If you were smart, you'd see the fabric. You'd see how beautiful it is.

If you were smart, you see the clothes made from that fabric. You'd see how nice they looked on the king.

Only dumb people cannot see the clothes on the king.

Oh, sorry. I seem to have wandered into an old fairy tale for children. I did not mean to imply in any way that Nick is playing the same part as the "tailors" in that story.

Anyway, back to the article. Smart people see the "myth" in Linux. Only dumb people cannot see it.

Yep. by khasim · 2004-12-19 18:40 · Score: 1 · on Open Letter to a Digital World

I specifically said "bypass OS security" and you bring up this?
Office is not a part of the operating system. A vulnerability in Office is not a vulnerability in the OS. Office cannot bypass system security including the execute permission.

I showed an example where a Microsoft product's security setting was bypassed via an exploit.

Because it has happened in the past to one Microsoft product, it can happen in the future to another.

You've yet to show any exploits that will bypass system file ACLs, which is what you appear to have been referring to in an attempt to refute a execute deny ACL's effectiveness.
If that's not what you were talking about, you need to be more clear. The only security settings I mentioned were file ACLs; if you wanted to bring up something else, you should say so.

I'm not denying that they are effective.

I am denying that they can be trusted 100%.

Defense in depth.

Yeah, I guess you are right; viruses could still spread across e-mail without needing any extra binary files when the client has a vulnerability. Still, preventing users from running arbitrary executables (at least the ones in the IE cache) would be helpful wouldn't it?

Yes, it would be helpful. Which is why group policies are used to lock down workstations.

But I would not recommend that anyone use that as their only level of defense. Again, Microsoft has had a problem with security settings before and there is no reason to believe that they are 100% safe now.

Defense in depth.

Regardless, all of these have been patched. 3 years ago. If your patches are up-to-date, these vulns are moot. Vulnerabilities and patches are hardly something Microsoft has a monopoly on.

Hmmm, by that line of reasoning, firewalls aren't needed because all of the worm attacks have already had patches released.

It is kind of hard to provide links to attacks that haven't been publicized yet. But the vulnerabilities are still out there. http://www.eeye.com/html/research/upcoming/index.h tml

Remote code execution.

And your post looks like a good outline to implement security on a Windows network for average users.

Thanks.

Just curious, how well is your system working? Do you still have any virus/malware infections? Do you use the default permissions or do you apply a security template, perhaps a custom one? Do you implement a deny-execute ACE for normal users where they have write access? It won't prevent everything by itself, but will provide another layer of security. How do you deal with (poorly designed) apps that require excessive permissions just to run?

It's working great for the regular users. The only problems are the accounting department and the owner of the company. The accounting app requires all kinds of access to just about everything on the hard drive. They have to run as admin. The owner likes to download and play with new toys and since he pays my salary, I just firewall his connection from everyone else's.

We're running GroupWise so we don't have the permission problems of Outlook. I've customized everything we have. It seems to work right now.

I've also moved the user's temp internet folder and regular temp folder to D:\temp and set the permissions there so I can open up their profile a bit. Also, their swap file is there to cut down on fragmentation on C:\.

We've been moving most of our apps to Citrix so the security problems aren't as bad as they could be.

That's why we're still on Win2K. I have it stable and seemingly secure and still functional for everyone. I have a lot of testing to do with XP before I move people to that. My boss is working with it on his laptop.

We're still using IE because we have two web apps that require ActiveX (and we might be deploying a 3rd next year).

Nessus (was: Re:Open source tools?) by rahard · 2004-11-03 00:38 · Score: 1 · on Assessing Network Security

I would say, try nessus. It is a very good vulnerability mapping tool. I use it to test various *nix/windows boxes. It has a lot of options which sometimes overwhelming at the beginning. But, once you get used to it, you'll never leave without it.

Retina is another excellent tool, but pricey.

nmap and nessus are always in my 'bag'. use it on a regular basis.

Re:Still... by digidave · 2004-09-17 04:07 · Score: 2, Informative · on Open Source Security: Still A Myth

That study, if it's the one I remember, used a flawed model for determining when to start the timer for bug fixes.

OSS bugs were termed live once they were informed about it while MS' were live once MS acknowledged the bug, often months after they were informed about it. Check out some Eeye data:

Upcoming advisories
Published advisories (click to see time to fix)

IBM is also bad, but Microsoft seems to be the worst, with most vulnerabilities taking well over 130 days to fix.

Re:Still... by digidave · 2004-09-17 04:07 · Score: 2, Informative · on Open Source Security: Still A Myth

That study, if it's the one I remember, used a flawed model for determining when to start the timer for bug fixes.

OSS bugs were termed live once they were informed about it while MS' were live once MS acknowledged the bug, often months after they were informed about it. Check out some Eeye data:

Upcoming advisories
Published advisories (click to see time to fix)

IBM is also bad, but Microsoft seems to be the worst, with most vulnerabilities taking well over 130 days to fix.

eeye vulnerability in Windows, 123 days+ by puke76 · 2004-09-17 04:05 · Score: 2, Informative · on Open Source Security: Still A Myth

I refer you to this webpage, where Microsoft has not fixed a known vulnerability in 123 days and counting. The others were not fixed in a timely fashion either. Show me an OSS vulnerability of similar criticality where it has taken that long.

Re:If you use IE just turn off active scripting by TheLink · 2004-06-28 04:15 · Score: 1 · on CERT Recommends Mozilla, Firefox

I don't see many good reasons for a genuine _security_ product to _require_ ActiveX and scripting.

That requirement should give you a clue about whether it really is a security product or not.

I've seen this and I'll take my chances with keeping windows secure on my own thank you (with a little help from some *BSD firewalls etc).

Is the "security" product much better than the stuff it's supposed to protect? Is better enough to be worth paying for? Remember you'd have one more thing to keep patched - and it is likely the firewall runs as a privileged process and so firewall bugs could lead to attackers taking over the machine _via_ the firewall.

Something like this happened recently to ISS personal "firewall" and "IPS" products. Go look up the "witty" worm.

If possible keep your firewall separate from your machine. So what if your el-cheapo USD40 hardware firewall gets exploited - you are less likely to lose any personal and irreplaceable data (e.g. holiday/baby photos etc).

Re:Perhaps It Belongs in the OS by BokLM · 2004-06-16 20:03 · Score: 1 · on Microsoft Plans To Sell Anti-Virus Software

Microsoft does patch their OS quickly. The only problem is that many many people don't install the patches they provide. The vulnerability that CodeRed exploited was patched three months before the worm was released. The only reason it caused so many issues was because of incompetent Windows sysadmins.

Have you heard of this Outlook 2003 vulnerability (Script Execution Vulnerability) ?
It was discovered on May 17, but no patche today.
And this Internet Explorer exploit does no have a patche too.
If you look at this, you'll see that it took them more than 6 monts to release their patche on the LSAS vulnerability (used by Sasser).
Is that what you call "patch their OS quickly" ?