From: "Geo" 

This is a multi-part message in MIME format.

------=_NextPart_000_0047_01C55D05.2FFDD0B0
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Rich,

If they don't matter then why did I have to download a 10mb patch and =
then a 1.5mb patch? Also don't misunderstand what I'm saying, I'm =
definitely NOT saying that the .NET framework is less secure than any =
other piece of software out there, it's about average imo. What I am =
saying is I didn't need it or the patches except to run this one program =
I wanted to try and my issue wasn't even that it's needed patches over =
it's lifetime but that the current version isn't patched and even the =
10mb patch wasn't patched.

I do not like the whole idea of Windowsupdate as the ONLY patch method =
for one reason. Lets see you use it to patch NT4workstation, Win95, =
Win98, or anything else MS feels doesn't require support anymore.

If when MS made that decision they put all the patches for these = products
on some website/ftpsite and did it in a nice organized way to = take care
of the remaining customers still running these products then I = wouldn't
have the issue but just go and try to reinstall NT4ws and patch = it today
and well you'll certainly understand my point then.

If it were up to me, there would be a law that says when a software =
product is EOL'ed, the final act of the authors must be to make = available
a final release that contains everything up to that point and = that all
copy protection must be removed so when the copyright expires = the world
can enjoy the product they protected with that copyright for = so long.

Geo.
  "Rich"  wrote in message news:428d849e{at}w3.nls.net...
     GDI+ had nothing to do with .NET.

     The DoS attacks were CPU usage due to large contrived complex =
cases.  The first and last were meaningful bugs.  Two in four years is =
not so bad.  All of these are server side issues that only are an issue =
if you explicitly make use of these.  None would affect you on the =
client.  None would affect you on the server either just by installing.

  Rich


    "Geo"  wrote in message =
news:428b17d7$1{at}w3.nls.net...
    "Peter Sawatzki"  wrote in message
    news:428a190e{at}w3.nls.net...

    > I don't see why you have a less secure system when installing =
.NET.
    > Installing a runtime that enables the system to run application =
built
    > in a more secure environment enhances your system.

    Well lets start with the fact that .NET is 23mb of stuff and the =
first patch
    I had to apply was over 10mb and the second patch was 1.5mb.

    If it doesn't make me less secure, why all the patches? Let's see..

     2005-02-08: Microsoft ASP.NET URI Canonicalization Unauthorized Web =
Access
    Vulnerability
     2005-01-18: Microsoft GDI+ Library JPEG Segment Length Integer =
Underflow
    Vulnerability
     2003-12-11: Multiple Vendor XML DTD Parameter Entity SOAP Server =
Denial Of
    Service Vulnerability
     2003-12-09: Multiple Vendor XML Parser SOAP Server Denial Of =
Service
    Vulnerability
     2002-06-08: Microsoft ASP.NET StateServer Cookie Handling Buffer =
Overflow
    Vulnerability

    Still think it's not a security issue?

    Geo.


------=_NextPart_000_0047_01C55D05.2FFDD0B0
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable








Rich,
 
If they don't matter then why did I =
have to=20
download a 10mb patch and then a 1.5mb patch? Also don't misunderstand = what I'm=20
saying, I'm definitely NOT saying that the .NET framework is less secure = than=20
any other piece of software out there, it's about average imo. What I am = saying=20
is I didn't need it or the patches except to run this one program I = wanted to=20
try and my issue wasn't even that it's needed patches over it's lifetime = but=20
that the current version isn't patched and even the 10mb patch wasn't=20
patched.
 
I do not like the whole idea of =
Windowsupdate as=20
the ONLY patch method for one reason. Lets see you use it to patch=20
NT4workstation, Win95, Win98, or anything else MS feels doesn't require =
support=20
anymore.
 
If when MS made that decision they put =
all the=20
patches for these products on some website/ftpsite and did it in a nice=20
organized way to take care of the remaining customers still running =
these=20
products then I wouldn't have the issue but just go and try to reinstall = NT4ws=20
and patch it today and well you'll certainly understand my point=20
then.
 
If it were up to me, there would be a =
law that says=20
when a software product is EOL'ed, the final act of the authors must be = to make=20
available a final release that contains everything up to that point and = that all=20
copy protection must be removed so when the copyright expires the world = can=20
enjoy the product they protected with that copyright for so =
long.
 
Geo.

  "Rich" <{at}> wrote in message news:428d849e{at}w3.nls.net...
     GDI+
had nothing to do =
with=20
  .NET.
   
     The DoS
attacks were CPU =
usage due=20
  to large contrived complex cases.  The first and last were =
meaningful=20
  bugs.  Two in four years is not so bad.  All of these are =
server=20
  side issues that only are an issue if you explicitly make use of =
these. =20
  None would affect you on the client.  None would affect you on =
the server=20
  either just by installing.
   
  Rich
   
   
  
    "Geo" <georger{at}nls.net>=20">mailto:georger{at}nls.net">georger{at}nls.net>=20
    wrote in message news:428b17d7$1{at}w3.nls.net..."Peter=20
    Sawatzki" <peter{at}sawatzki.de>=20">mailto:peter{at}sawatzki.de">peter{at}sawatzki.de>=20
    wrote in messagenews:428a190e{at}w3.nls.net...=
>=20
    I don't see why you have a less secure system when installing =
.NET.>=20
    Installing a runtime that enables the system to run application=20
    built> in a more secure environment enhances your =
system.Well=20
    lets start with the fact that .NET is 23mb of stuff and the first =
patchI=20
    had to apply was over 10mb and the second patch was
1.5mb.If =
it=20
    doesn't make me less secure, why all the patches? Let's=20
    see.. 2005-02-08: Microsoft ASP.NET URI =
Canonicalization=20
    Unauthorized Web AccessVulnerability 2005-01-18: =
Microsoft GDI+=20
    Library JPEG Segment Length Integer=20
    UnderflowVulnerability 2003-12-11:
Multiple Vendor XML =
DTD=20
    Parameter Entity SOAP Server Denial OfService=20
    Vulnerability 2003-12-09: Multiple Vendor XML Parser SOAP =
Server=20
    Denial Of ServiceVulnerability 2002-06-08:
Microsoft =
ASP.NET=20
    StateServer Cookie Handling Buffer =
OverflowVulnerabilityStill=20
    think it's not a security=20
issue?Geo.

------=_NextPart_000_0047_01C55D05.2FFDD0B0--

--- BBBS/NT v4.01 Flag-5