[4741] in WWW Security List Archive
RE: Latest Java hole is Netscape/Sun only
daemon@ATHENA.MIT.EDU (Thomas Reardon)
Sun Mar 9 23:25:46 1997
From: Thomas Reardon <thomasre@microsoft.com>
To: "'bve@quadrix.com'" <bve@quadrix.com>
Cc: "'www-security@ns2.rutgers.edu'" <www-security@ns2.rutgers.edu>
Date: Sun, 9 Mar 1997 18:46:09 -0800
Errors-To: owner-www-security@ns2.rutgers.edu
Believe me, this last week has taught us some painful lessons. We'll
try to articulate an overall policy, both in terms of technical reviews
but also public education and annoucements, this coming week. I use the
phrase 'overcommunicate' around here, and I think folks are starting to
grasp it.
-Thomas
>-----Original Message-----
>From: bve@quadrix.com [SMTP:bve@quadrix.com]
>Sent: Sunday, March 09, 1997 6:21 PM
>To: Thomas Reardon
>Cc: www-security@ns2.rutgers.edu
>Subject: Re: Latest Java hole is Netscape/Sun only
>
>
> From: Thomas Reardon <thomasre@microsoft.com>
>
> just a quick note that the VM bug affects only Netscape and Sun
> implementations. that means IE for Windows is ok, but IE for Mac (Sun's
> VM) is vulnerable. we're off the hook for once this week ;)
>
> -Thomas Reardon
> Microsoft
>
>You know, the most interesting things about this latest Java bug are:
>
> 1) Sun discovered it themselves -- not some outside party -- during a
> "regular security review".
> 2) In part due to #1, the patches have already been released.
> 3) Sun ANNOUNCED THE PROBLEM to all major venues. This is probably the
> most important distinction. I give a company credit when they
> announce their problems, along with the fixes. MS is notorious for
> hiding their problems, until someone makes them speak up.
>
>Please understand that I am *not* trying to slam MS for this!!!
>I am instead attempting to point this out as an example to be followed.
>Mr. Reardon, if you can make *anyone* at MS listen to you, tell them to be
>forthcoming with problems, so that we may all protect ourselves ASAP. Stop
>trying to play "holier than thou" with security. As you've found out this
>week
>(and as I think you've said in the past) no software is bug-free. I'm not
>going to shoot MS for having a bug. I'm going to shoot them for all the
>games
>they play with their holes, and others....
>
>
> -- Bill Van Emburg
>Phone: 908-235-2335 Quadrix Solutions, Inc.
>Fax: 908-235-2336 (bve@quadrix.com)
>Check out http://yourtown.com! (http://quadrix.com)
> "You do what you want, and if you didn't, you don't"
