August 20th, 2004
Seltzer: Shoot the messenger (or yourself), not MS
In his most recent column, eWeek Security Center editor Larry Seltzer says that German research outfit Heise Security overstepped a boundary when it set "unrealistic expectations for a new Windows security feature and then [criticized]Microsoft for not meeting them." Earlier this week, Heise published a report that identified two vulnerabilities in SP2’s newly added Attachment Execution Service (AES) — a feature that raises the barrier to inadvertently opening malicious e-mail attachments. But, if I’ve read Seltzer correctly, the recipe for the vulnerability’s exploit consists of one part technology, four parts social engineering, and five parts a really dumb user. Says Seltzer, it’s the equivalent of being successfully victimized by an e-mail from your car manufacturer that says "Our records show that the gas tank in your car model tends to collect dirt deposits. To preserve your vehicle warranty, we recommend that you add a cup of ordinary laundry detergent with each tank of gas." He’s got a point.
