Erik Funkenbusch writes:

> On Wed, 09 Jul 2008 15:57:57 -0400, Roy Schestowitz wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Symantec Warns of New Word Attack
>>
>> ,----[ Quote ]
>>| Criminals have found a new way to attack PC users, taking advantage of what
>>| appears to be a new bug in Microsoft's Word software, according to Symantec.
>>|
>>| Symantec warned of the attack Tuesday, saying on its Web site that it had
>>| seen attackers exploiting "what is possibly an undisclosed vulnerability
>>| affecting Microsoft Word."
>> `----
>>
>> http://www.pcworld.com/article/14809...rd_attack.html
>
> The flaw is specific to only one version of Word. Word 2000 SP3. This is
> not a broad attack, no other versions appear to be affected.
>
>> Microsoft update kills ZoneAlarm
>>
>> ,----[ Quote ]
>>| PUNTERS who use the ZoneAlarm security package might not want to install MS
>>| update KB951748.
>> `----
>>
>> http://www.theinquirer.net/gb/inquir...t-update-kills
>>
>> More productivity sinks for the company that made horrible
>> engineering 'acceptable'.
>
> The problem is most likely with Zone Alarms software. Firewalls, in
> particular, are very sensitive to internal changes. That's just the cost
> of doing business at a kernel level. Lots of software breaks in Linux when
> the kernel gets updated too, and often requires at a minimum a recompile,
> sometimes actual code changes.
>
> Don't act like this is a problem specific to Windows.
>
>> Recent (on fixing a flaw months late, only after attacks began):
>
> Oh, you mean like the recent multi-vendor DNS fix that took 3.5 months to
> accomplish?
>
> Frequently, even in open source, security flaws are kept quiet and often
> left unfixed for months while the problem is being analyzed and worked on.
> That's just the way things work throughout the industry, including open
> source.

Or the more than a year old SSH flaw which had opened up Debian systems
to the world undetected for so long?

On 2008-07-09, Erik Funkenbusch claimed:
> On Wed, 09 Jul 2008 15:57:57 -0400, Roy Schestowitz wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Symantec Warns of New Word Attack
>>
>> ,----[ Quote ]
>>| Criminals have found a new way to attack PC users, taking advantage of what
>>| appears to be a new bug in Microsoft's Word software, according to Symantec.
>>|
>>| Symantec warned of the attack Tuesday, saying on its Web site that it had
>>| seen attackers exploiting "what is possibly an undisclosed vulnerability
>>| affecting Microsoft Word."
>> `----
>>
>> http://www.pcworld.com/article/14809...rd_attack.html
>
> The flaw is specific to only one version of Word. Word 2000 SP3. This is
> not a broad attack, no other versions appear to be affected.

According to MICROS~1.

Symantec, who reported the flaw, says " Initial analysis suggests that
some Microsoft Office versions, even when fully patched, are affected
by this exploit."

In coming days, weeks and months I guess we'll get to see who is
correct in the analysis: the lying, convicted monopolist, or the
company that makes a living trying to (futilely) "protect" the products
of the lying, convicted monopolist. I expect there will be a patch for
several versions of Offal soon.

--
Failure is not an option. It comes bundled with your Microsoft product.
---- Posted via Pronews.com - Premium Corporate Usenet News Provider ----
http://www.pronews.com offers corporate packages that have access to 100,000+ newsgroups

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Symantec Warns of New Word Attack

,----[ Quote ]
| Criminals have found a new way to attack PC users, taking advantage of what
| appears to be a new bug in Microsoft's Word software, according to Symantec.
|
| Symantec warned of the attack Tuesday, saying on its Web site that it had
| seen attackers exploiting "what is possibly an undisclosed vulnerability
| affecting Microsoft Word."
`----

http://www.pcworld.com/article/14809...rd_attack.html

Microsoft update kills ZoneAlarm

,----[ Quote ]
| PUNTERS who use the ZoneAlarm security package might not want to install MS
| update KB951748.
`----

http://www.theinquirer.net/gb/inquir...t-update-kills

More productivity sinks for the company that made horrible
engineering 'acceptable'.


Recent (on fixing a flaw months late, only after attacks began):

After Attacks, Microsoft Fixes Jet Database Flaw

,----[ Quote ]
| Security experts say that the Jet flaw (MS08-028) should be patched first,
| since it has already been exploited. Microsoft had previously warned of this
| bug in a March 21 advisory.
|
| [...]
|
| Microsoft also patched two critical flaws in Word and a critical Publisher
| bug.
`----

http://www.pcworld.com/businesscente...base_flaw.html


Related:

,----[ Quote ]
| Problems found in an audit of Diebold tabulation records from an Ohio
| November 2006 election raise questions about whether the database got
| corrupted during the tabulation of election results...
|
| The database is built from Microsoft's Jet database engine. The
| Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â*^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
| engine, according to Microsoft, is vulnerable to corruption when a lot
| Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â*^^^^^^^^^^^^^^^^^^^^^^^^
| of concurrent activity is happening with the database, such as what
| occurs on an election night [and Microsoft advises againt using Jet in
| a complex environment]...
|
| The report mentions that election staff had trouble with the server
| crashing and freezing on election night....
|
| The report notes that with punch card machines election officials used
| to be able to determine definitively if all ballots had been counted
| in the results....
`----

http://blog.wired.com/27bstroke6/200...d_vote_da.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkh1GEUACgkQU4xAY3RXLo4VzwCgiSnMXKqhCs/LNrnNLtChyxza
E8oAn2qupYUBr6994WDDUQExeLF9R1iG
=jQaf
-----END PGP SIGNATURE-----