I'm right there with you, Frank, on one condition. You hold *every* software vendor to the same standard. IOW, "Apache should be required to fix their own, broken products"..."RedHat Linux should be required"......"Oracle should be required"....."sendmail"....."wuftpd"....."php"..."mysql"...etc., etc., etc., ad infinitum, ad nauseum.
Instead of requiring the consumer to install patches, Microsoft should be required to fix their own, broken products. That means that they should send their army of engineers (a lot of which are now carrying the CISSP certification) to the consumers and have their engineers correct the flaws in their products. They sold flawed products, they should fix it.
Paul Schmehl (pauls@xxxxxxxxxxxx) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html