code red and MS's liability...

Craig White plug-discuss@lists.PLUG.phoenix.az.us
Sat, 11 Aug 2001 17:00:15 -0700


> -----Original Message-----
> From: plug-discuss-admin@lists.plug.phoenix.az.us
> [mailto:plug-discuss-admin@lists.plug.phoenix.az.us]On Behalf Of Eric
> Sent: Saturday, August 11, 2001 11:52 AM
> To: plug-discuss@lists.plug.phoenix.az.us
> Subject: RE: code red and MS's liability...
>
>
> What was said prior was theoretically correct: Although any user
> who enters
----
since you decided to repeat yourself...

It can be reasonably assumed that Microsoft was unaware of the vulnerability
in the indexing services. They did release a patch once the vulnerability
was discovered and prior to the 'public' existence of an code red worm. I
have to believe that this absolves them of most if not all of the liability
on this issue.

perhaps you want to make the larger case, that Microsoft is guilty in
general of callously disseminating software replete with security holes. The
travesty of the Outlook/Outlook Express vbs script vulnerabilities
specifically - they released Outlook 2000 with the same security issues -
fully known to them and didn't change things but rather required the
separate download and patch for each installed copy to protect it. That was
a rather unsound practice. Also, they continue to distribute Windows 98, ME,
2000 and NT with known security issues that require you to visit
windowsupdate.microsoft.com to patch and do not supply a separate disk with
the patches or incorporate them into the distribution software. Those are
far more serious issues. Consider the notion that a majority of these
machines vulnerable to the code red worm are not IIS servers run by
businesses but perhaps home users running Win2K Professional and there was
the suggestion on the seawolf mailling list that some are actually Windows98
running Microsoft's personal filesharing.

Craig