KDE fixes SSL hole as MS dithers
Speed vs spin
New KDE binary RPMs have been released, as promised, with a fix for the SSL certificate vulnerability affecting Windows and Konqueror which we reported last week.
"KDE 3.0.3 primarily provides stability enhancements over KDE 3.0.2, which shipped in early July 2002, and also contains a security correction for SSL (Internet security) certificate handling," the organization says.
Also, a patch for KDE 2.2.2 is available for those who prefer not to upgrade their systems to KDE 3.
In the mean time, MS has decided to whitewash the affair and persuade users that the bug in their operating system is harmless, in flagrant disregard of the handy exploit code that's already been released.
Now it's fair to point out that fixing an application like Konqueror is a hell of a lot easier than fixing an operating system like Windows, and no doubt Redmond geeks are working around the clock to address this issue. Still, the open-source community consistently blows MS' doors off in getting on top of security holes, as we've observed on several past occasions. Fair enough; MS is a huge company with numerous products, and it's extravagant to expect them to respond with the speed of more compact organizations.
What's galling here is not the pace so much as the denial. As our readers know, a purloined private key and a bit of ARP spoofing will permit any junior hacker to grab a third party's SSL session. Yet MS refuses to warn its customers, but instead lulls them into a false sense of security. We're reminded of the Hotmail/Wallet hole discovered by Marc Slemko, over which MS was satisfied to leave millions of Passport customers at risk until the story was published. Only then did they grudgingly shut down the service briefly to fix it, while bitching about Slemko's decision to warn people about it.
It's moments like these that make us wonder how any Microserf can utter the words "Trustworthy Computing" with a straight face. ®