http://blogs.technet.com/b/kevinremde/archive/2006/01/05/417000.aspxAnd if you don’t know about it, and you consider yourself an “IT Pro”, then shame on you for not being connected and informed in areas of Security that are CRITICAL to your job, bozo. “What’s up?” Recently a vulnerability was found in the wayen-USTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)http://blogs.technet.com/b/kevinremde/archive/2006/01/05/417000.aspx#417111Sat, 07 Jan 2006 17:50:27 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:417111Kevin RemdeOh, I agree with that too, Vlad. That also weighs into the calcuation. Along with that was the fact that when there are known workarounds, then we might have a way to help the network owners protect themselves in the meantime. <br><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=417111" width="1" height="1">http://blogs.technet.com/b/kevinremde/archive/2006/01/05/417000.aspx#417073Sat, 07 Jan 2006 00:58:08 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:417073Vlad MazekTony, <br> <br>I concede my wording left a lot to be desired. Yes, it was rated critical and there was an exploit, however, the exploit was wasted on driving traffic to an adware site which from my standpoint is not as damaging as perhaps a DDoS or sending clients private information. <br> <br>I guess what I wanted to say is that while we were not damaged by the exploits available for this hole I hope Microsoft considers making hotfixes available in the future if the active exploits cause more damage than would be caused by a poorly tested patch. At some point Microsoft needs to let the network owner establish their own risk tollerance. <br> <br>-Vlad <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=417073" width="1" height="1">http://blogs.technet.com/b/kevinremde/archive/2006/01/05/417000.aspx#417057Fri, 06 Jan 2006 19:54:03 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:417057tonysoper_MSFTJust for the record, I disagree with Vlad's assertion &quot;This was not a wildly dangerous exploit to begin with...&quot; <br>The vulnerability is rated critical <br>The exploit was zero-day <br>It doesn't get more dangerous than that in the risk-management rubric most folks use.<div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=417057" width="1" height="1">http://blogs.technet.com/b/kevinremde/archive/2006/01/05/417000.aspx#417044Fri, 06 Jan 2006 17:09:38 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:417044Kevin RemdeHi Vlad. Thanks for commenting... and you make some strong arguments. <br> <br>Really, though; going back to my point about sufficient testing... Realize that the Security powers-that-be understood how much damage was being done or what the potential for damage was. But I highly recommend that you read Mike Nash's post on the MSRC blog; specifically point #3 in his 3 &quot;things we know for sure&quot; list. &quot;The only thing worse than having to deploy an update is having to deploy that same update twice because of a quality problem with the update.&quot; How much more damage could be caused if some common, critical business application or functionality were lost temporarily because the patch screwed something up? As I've said - I've seen it happen. Several years ago there was the uproar when a Microsoft update completely screwed up how the company I was managing IT for lost the ability to use Terminal Services. Ouch. The cure was worse than the disease! I was happy to read that a big reason we were able to release it early at all was due to some amazing, heroic efforts on the part of the quality assurance / test folks who were able to sign off on this earlier than anticipated. <br> <br>Here's the MSRC blog address (for those of you who didn't see my other post on this subject): <br><a rel="nofollow" target="_new" href="http://blogs.technet.com/msrc">http://blogs.technet.com/msrc</a> <br> <br>-Kevin<div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=417044" width="1" height="1">http://blogs.technet.com/b/kevinremde/archive/2006/01/05/417000.aspx#417017Fri, 06 Jan 2006 06:42:20 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:417017Vlad MazekKevin, <br> <br>If you don't want to read an extended explanation: Yes, Microsoft should have released this patch prior to completing full regression testing, provided that is came with a warning as do all of the Microsoft hotfixes. <br> <br>Now on to the extended commentary: <br>Software vendors should not dictate the security policy of their clients, especially when those clients have paid for software and support. This was not a wildly dangerous exploit to begin with, but I hope it sets a precedent for future security policies at Microsoft. If we have an immediate danger that cannot be eliminated through the use of antivirus, firewalls, stateful packet filtering, and user education should we still sit in the water while Microsoft defines our risk tollerance? <br> <br>I for one hope not. Microsoft must understand that Microsoft clients need to be able to respond in a timely manner and must have the ability to assess their own risk tollerance, especially if an untested patch is available. I can only offer myself as an example. I manage around 4,000 servers with 23 GigE connections to the Internet. If I had no way to protect a network with that much horse-power and bandwidth would Microsoft share the part of the bill when a serious, unpatchable security exploit was used to create tactical strikes taking down major ecommerce sites world-wide? <br> <br>Large scale example, but I hope these matters are considered seriously now before we see them on CNN. <br> <br>Sincerely, <br> <br>Vlad Mazek <br>MCSE 2003, Exchange MVP <br><a rel="nofollow" target="_new" href="http://www.vladville.com">http://www.vladville.com</a><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=417017" width="1" height="1">