Google fixes flaw before publicized

[Black Cluster]

I think MS should look at how things go with google ... and learn how to fix things ....

Google Inc. fixed a security vulnerability on its search-engine Web site within days of being notified by security vendor Finjan Software Inc., Finjan said yesterday.
Finjan's Malicious Code Research Center notified Google of a cross-site scripting vulnerability in September, according to San Jose-based Finjan. Google fixed the problem within "a few days," said a Finjan spokeswoman.

A Google spokesman wasn't immediately available for comment yesterday.

The vulnerability could have allowed a remote attack to take over Google accounts or to fake Google's content and deceive computer users into going to a bogus site and giving up personal information, Limor Elbaz, Finjan's vice president of business development and strategy, said in a press release.

Two Google.com sub-sites contained forms that did not validate and filter input. Because of the lack of data validation and filtering, the vulnerability could have allowed an attacker to inject content and scripts and steal Google.com users' cookies. When users were logged on, an attacker could then gain access to Google services such as account information, saved searches, Google alerts and the user's Google Groups identity, Finjan said.

Source

[S3cur|ty4ng31]

Well Id say its a little harder to patch software and get it sent out to billions of people than it is to fix your own website.Not to say M$ does a good job I just think your comparing oranges to apples.

[miracle]

Why Microsoft DOESN'T have to learn: Google, being the new 600lb gorilla in the forest, has to compete to stay viable. Microsoft has a virtual monopoly over home and business desktop environments. When you have a monopoly, you don't have to service the customers....you OWN the customers.

The climate is changing, though. Hopefully Vista will bomb and more open source initiatives will take a foothold.

[Black Cluster]

Originally posted here by S3cur|ty4ng31
Well Id say its a little harder to patch software and get it sent out to billions of people than it is to fix your own website.Not to say M$ does a good job I just think your comparing oranges to apples.

Heh, I meant the prompet responce not the deployment of the fix ....
Even for a website, MS has a flow in thier update website {Genuine Validation}, Why they did not fix it yet? Is it solely lazyness .... man, this is what I mean!

Cheers

[rapier57]

Hmmm ... Just updated my laptop's WinXP OS on the MS web site (using the Genuine Validation). No problem.

System rebooted. No problem.

BC, I agree with SecurityAngel, you're comparing apples to oranges.

Fixing some cross-site scripting issues in some forms is not the same as finding an obscure overflow condition somewhere in billions of lines of code, fixing it and then getting it out to all of us users.

Beats the heck outta running a Solaris8 kernel patch (three hours downtime, here).

[Trevoke]

Originally posted here by Black Cluster
Heh, I meant the prompet responce not the deployment of the fix ....
Even for a website, MS has a flow in thier update website {Genuine Validation}, Why they did not fix it yet? Is it solely lazyness .... man, this is what I mean!

Cheers

"Pull down your pants and bend over, I'm going to service the account."