Screaming Penguin - Source Does Matter

Remember this momentous occasion! This is the first ToTSP post about a PRODCUTION Win2K major security flaw. Dont ask me why people are employing it (see theory below) but they are. According to ZDNET "Six banks and three major PC makers affected by bug that lets attackers view files stored on Microsoft Index Server. Microsoft issues patch." Yes, you read that right, a product that is not due out for several weeks, is apparently being used already, AND HAS A PATCH AVAILABLE BEFORE ITS RELEASE DATE! Now thats quality control. Check the ZDNET link for more details.There are actually 2 exploits. Once of which uses Index Server which is installed and active by default on Win2K (WHY?) and another that allows the attacker to access information about the targeted network. Microsoft on one hand says "everything is serious" according to the article and then calls one of these exploits "minor." More of the same from Microsoft and some people wonder why the poor reputation. This is ridiculous and software buyers should demand better.AS for why people are already using Win2k in production, well thats a little perplexing, here is my theory:First of all remember the old addage: "If it aint broke dont fix it!" Well when it comes to Microsoft products I will grant you that the first part of that equation pretty much always equates to FALSE in some degree. (Consider for example if you pass the Microsoft NT4 variable to the IfItAintBroke function - IfItAintBroke(MSNT4) == FALSE. ) That said I understand to a minor degree why people are already employing Win2k in production environments. They hope its better than whay they have! However, IT IS STILL NOT A GOOD IDEA. The product is still BETA, yes even the "gold" code, use it for testing but dont deploy it. Consider the past record of Microsoft, how many service packs does it take to make an MS Operating System work? (Win3 = alot, Win95 = >4, Win98 = not yet known, WinNT3 = alot, WinNT4 = wow, alot, even the owl cant keep track of this one.) People use it either because they hope it will fix a specific current problem (very few in this category), add a new feature (few here also) or they think its shiny, fancy and neat so they just have to have it (most current users in this category.) Dont do it unless you have a specific issue it will supposedly help. Here is an example that makes me even more mad at Microsoft. We were told by our corporate Microsoft rep to use Win2K adv to REPLACE the current Terminal Server products at a particular customer account. In regards to a particular issue she said it "works." Well, what in the hell, what about the current RELEASE product, the one we PAID handsomely for, why doesnt it work, you are telling me to replace the expensive production code with new beta code that works?!? Yep. Ridiculous. Consider again that even the new prodcution release will not really be prodcution for a few more years, come on, what were you thinking! You thought you paid mega bank for some software and it should work, HA HA HA HA, jokes on YOU! Dont use it unless you MUST for a specific issue. Microsoft had to get it out on a timeframe that although severly delayed was still premature, and the quality will reflect that (same story as most MS products.)   Win2000 Hole story on ZDNET