The vulnerability still exists in Internet Explorer in that it's very lenient in how it pulls CSS, but right now nobody is publishing a way that it can be leveraged to do something useful. That's not to say that somebody won't find a way. I'm sure somebody will come up with a creative way to leverage it to do something evil.

It was definitely a surprise to see Cisco's reaction. I don't think that's the best approach. I do feel that it is happening less and that vendors are realizing that we don't want to work against them, but with them.

There's always code reuse in development, which is a good thing. No one writes an entire application from scratch. But if you're using someone else's code, you're relying on the security of that code. Developers need to apply the same level of security testing to those shared pieces as they do to their own code.

This is relatively easy to exploit. It takes some degree of social engineering -- the attacker would have to draw people to a malicious Web site -- but after that, there's no further intervention required. An attacker could leverage this to write to a file on the hard drive. And once you can write to a person's machine, you have full control.

Patching is very urgent, ... We expect public exploit code to become available, especially for the MSDTC issue.

Ocean Champions has the potential to be one of the most transformative things we've ever done in the whole conservation movement.

I would certainly recommend that users implement the vendor workarounds until a patch is made available. We feel that exploit code can and will be created.

Orders are slow right now.

There is some irony there.