The only thing we know for certain is that they didn't find them all. That point has been driven home decisively by Blaster and Nachi.
And what about the flaws MS probably found during the code audit and that were never published? I would like to see MS releasing patches/fixes for flaws they found during these audits. Or did they find none?
During the launch of Windows XP, Microsoft announced that they had "eliminated" buffer overflows in Windows XP (using a commercial tool that they had purchased.) One month later eEye announced what I still believe to be the most devastating hole in Windows, the UPnP vulnerability. It hasn't been exploited like RPC DCOM has, but it's an even more serious vulnerabilty.
How many more are lying around waiting to be exploited? It's obvious that Microsoft doesn't know.
Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
