Tuesday, March 28, 2006

Bessemer Startups To The Rescue

Websense has now detected over 200 web sites exploiting the CreateTextRange vulnerability in IE 5.01 and 6.0 in order to deliver payloads of malware to desktops. One of the commonly pushed payloads logs keystrokes, which is the first step to identity theft.

Unfortunately, Microsoft is still weeks away from issuing a patch. According to Security Focus and the Washington Post, two Bessemer companies, eEye and Determina, have issued free software patches to close the vulnerability for IE users.

No worries for me--I use Flock.


  1. Anonymous7:57 PM

    Provocative post but I wouldn't be so cocky.

    Microsoft can crush both companies

  2. [gulp] you're right.

  3. Anonymous9:46 PM

    What's the point of funding two companies that are competing with each other?

  4. Anonymous,

    Good question! If you got a chance to read my posts on investment road maps, you know that we like to first identify a sector and then fund a handful of companies in that sector. The advantages to the portfolio companies are that (we think) we better understand the sector, and that we bring more ongoing expertise to our companies. Even so, as a rule we invest only in companies that do not compete with others in our portfolio. But sometimes two companies who aren't competing when we invest converge later on the same market opportunity, and we do not believe that it would be right for us to unilaterally block them from doing so. That's exactly what happened with Determina and eEye (which wasn't originally in the IPS market).


  5. Anonymous12:07 PM

    This game of cat and mouse in security can't go on forever. (Or can it?) What do you see as the future of software security? Do you see a point where a single elegant solution will address most, if not all, exploits?

  6. Anonymous, Microsoft would be quick to tell you their Trusted Code initiative will come Save The Day, like that, but unfortunately it won't.

    Or rather, it would turn the tables a bit, addressing one class of the issue, at the expense of making us have to wait for new software from big, slow players like Microsoft (as small, agile developers would be out of the loop), instead of, like now, waiting for fixes for old software full of security holes. Nor does it address information leak types of bugs and similar flaws making systems more vulnerable to con artists mastering social attack vectors - so people offering the single elegant slate solution are unfortunately in the snake oil business.

    There are common types of plagues we will see an end to in the coming years as operating systems (perhaps most notably Microsoft, but their competition has their fair share too) mature but software security is about as vulnerable or as safe as homeland security or real-life everyday security in that it will remain something that takes day-to-day work and maintenance to stay on top of.