Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Poll Results - PollInternet Security | DShield InfoSec Poll Results


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Poll Results

0 % =>Just fine to get back at the ''I'm a mac'' ads and the Apple fans. Works is unfortunate collateral damage in the marketing war.
11.7 % =>They should have just fixed CVE-2009-0556 (also for Office 2004)
0 % =>Ok, I'm with Microsoft!
0 % =>I'm recommending Apple users uninstall office and switch to iworks or openoffice.
0 % =>Irresponsible, and a failure of the ''responsible disclosure'' policy.
Total Answers: 861

Selected Comments

  • If we are going to adhere to the idea of 'responsible disclosure', then we need to be consistent. I personally prefer immediate disclosure as it is easier to look for mitigating actions than it is to remediate compromises.
  • i'm not with microsoft but its no big deal
  • Mac office has been ignored for a long time, why is everyone suprised?
  • Two things: The vast majority of users are being patched, Mac is small potatoes for this application in comparison to Windows and how is this any different than the staged Adobe Reader updates recently where older versions and *nix versions were not patch
  • Sick of the whinning. Don\'t use MS-Office then. there are alternatives.
  • I recommend they keep 10-20% of their Office installations so someone in the office can convert files when necessary
  • Well Macs are so safe ..... aren't they?
  • I think this biased poll is more irresponsible than the disclosure :(
  • But why am I unsurprised??
  • Shame on Microsoft. How hypocritical of them to pull this stunt.
  • It's just not possible to have your cake and eat it. I'm all for immediate disclosure for OS and productivity - mitigation of the problem is then possible instead of blundering onprotected in the dark.
  • Taking a look at market shares sez they're protecting the majority which is what counts the most
  • It's worth noting that according to the Security Vulnerability Research and Defense blog from Microsoft, that the Mac version was "unlikely to be reliably exploited" before they could release a patch.
  • It seems microsoft do not fully support their software on Mac
  • Stop whining.
  • They'll never learn!
  • And they should have fixed CVE-2009-0556
  • Sadly, it is what I expect from Microsoft. Good think I only use Word to generate documents, and not to view/edit work from other people. (I use Abiword and OpenOffice for that.)
  • I think the SANS post is a total joke. Seriously Microsft is damned if they do and damned if they don't, Office and Mac and Works??? Really from an enterprise perspective for a vulnerability that is actively being leveraged to attack people on the Windows
  • it was the better of two evils...waiting until all patches were ready was worse.
  • Microsoft's way of saying,"It's time to retire Office 2004." ??
  • Patches for CVE-2009-0556 are ok, this vuln. is pbulic, but the other two, unknown vuln. should be patched when the Mac-patches are ready
  • sigh - Microsoft got it half-right... again. :-(
  • I'm seriously considering removing PowerPoint from all of our managed OS X machines until such a time as a patch becomes available.
  • This is not new, it is on-going!
  • MS' version of "responsible" disclosure is neither responsible, nor disclosure. This fiasco only highlights that fact.
  • Why is anyone surprised? It puts them a leg up on Apple.
  • Their disengenuosness & pseudo-logic are reprehensible.
  • It does not help that there is no generallly accepted concensus on what is "responsible behavior". Perhaps if there were, Microsoft and every other software developer could have their feet held to the fire.
  • Unfortunately, this is so typical. That's one reason, I still have a version of Office 2000 in shrink wrap that I won in a raffle. Haven't used Office since 1998 and have NEVER missed it!!
  • Utterly ridiculous
  • Their actions are either short-sighted or malicious
  • Why not stay silent for Unpatched Vulns?
  • Prepare to see more of this - according to their published lifecycle, Microsoft is ending security patches for Office 2004 in October.
  • This is why I don't depend on MS for security.
  • Uncharacteristically, I'm defending Microsoft: if this really was being actively exploited it makes sense to release fixes as soon as possible since each patch only reduces the number of people at risk
  • This is normal behavior for Microsoft
  • I looked at the MSRC blog entry where they mentioned what they had done
  • Put up or shut up seems to apply. If they don't have a patch, don't tell everyone what's broken.
  • MAC office has been ignored by microsoft for a long time. this is not new
  • I just hate all new "responsible disclosure". Full disclose or be quiet. The "I know something, but I can't tell you" is just stupied.
  • releasing the Mac fixes on the regular release cycle means a month of exposure but perhaps Microsoft should get some credit for rating those holes as Important, not Critical and an exploit is unlikely
  • Seriously, even with a patch available, the spammers will still target Windows and not Mac. There will be fare more unpatched windows host available than Mac
  • Who uses mac for business anyways. "MAC is cute"
  • the answer missing from your choices is "no big deal"
  • I fear "irresponsible disclosure" from others may increase. Just following the example set by Microsoft.
  • If none of the bugs fixed by 10.5.7 have been exploited yet, this one will also not be exploited in the near future
  • I think their behavior on MS08-070 was even more irresponsible.
  • I'm a firm believer of not throwing stones in a glass house. Apple is one of the biggest offenders in my view.
  • Part of their new marketing plan
  • What's good for the goose....
  • Also recommend using OpenOffice (NeoOffice)
  • Disastrously hypocritical of Microsoft.
  • open office or neo office is available for mac, as well as iwork
  • Why would anyone running a Mac want software from MS?
  • Does anyone expect Microsuck to behave in a logical predictable responsible fashion from one minute to the next? If so, I want some of what you're smokin'!
  • does not surprise however
  • Just look at their refusal to work with industry standards like CVSS - they score their vulnerabilities how they want, and as they see fit with CVRF instead. Works for them.
  • we know what we already knew -- office is full of holes and there is reason to believe that won't change.
  • Poll Archives

    1. How bad do you think Badlock will be?
    2. The end of XP is looming where are you at?
    3. What is going to trouble you the most in 2014?
    4. What are your plans when XP is no longer supported?
    5. What is your main concern about Java?
    6. Which of the following issues impacted the most your business in 2012?
    7. What are the top 5 unresolved (or underresolved) security issues of 2012?
    8. Cyber Security Awareness Month Activities 2012
    9. Are you currently using a Security Information and Event Management (SIEM) solution to collect security logs?
    10. Which security patch delivery schedule do you prefer? Choose according to your role-- if you install the patches yourslef, choose the system administration option.
    11. Which security patch delivery schedule do you prefer?
    12. Phishing and client side attacks, the future?
    13. What security issue concerns you the most this year?
    14. Do you monitor or otherwise secure your printers in your environment?
    15. In the coming 12 months, what is your deployment plan or status with IPv6?
    16. How are you dealing with Malicious Domains?
    17. How is your organization dealing with Windows executables?
    18. Which of the following issues affected your business in 2010?
    19. What is your biggest fear with Mobile Devices in your enterprise?
    20. The most annoying web application attacks are ...
    21. What is your opinion of the actions of the "Microsoft-Spurned Researcher Collective"? (Full disclosure with no vendor notification)
    22. How do you protect your internet connected mobile devices such as smart phones and PDAs from malware and how do you know it works?
    23. How is your organization handling PDF documents?
    24. What DNS server do you use as a resolver?
    25. I back up data on my home PCs...
    26. Do you have port 445 blocked at your firewall?
    27. How many insider threat cases have you dealt with so far this year?
    28. Trial software and Bloat pre-installed on new PCs...
    29. Has your organization dealt with any of the following during the past 12 months?
    30. Do you use virtualization in the DMZ?
    31. Defective harddisks under warranty, containing sensitive data...
    32. Microsoft's 'responsible' behavior in releasing MS09-017 was:
    33. Does your organization have a pandemic plan?
    34. Our web application security is controlled by:
    35. How was your organization affected by Conficker C?
    36. How is your organization handling Conficker C?
    37. If you plan to deploy, or have deployed Wireless, in what frequency do you plan to deploy 802.11n?
    38. Have you received notification that you are the victim of a security breach? If so, did you receive an offer for credit monitoring?
    39. How is the economic downturn affecting your IT Security Program?
    40. My security budget for 2009 is:
    41. Has your organization suffered a DDoS (Distributed Denial of Service) attack in the last year?
    42. How are you securing your Wireless Networks?
    43. How are you handling the “out-of-band” MS08-067 patch?
    44. What activities are you having for Cyber Security Awareness Month?
    45. When was your last Incident Response Test Exercise?
    46. How are you handling the DNS vulnerability issue?
    47. How do you handle data leakage protection?
    48. How do you secure remote presentation software (Webex, Netmeeting, etc)?
    49. What have you done to secure your home networking equipment?