On 1/23/10 2:02 AM, Rich Kulawiec wrote:
> Meanwhile, Microsoft has essentially unlimited personnel and financial
> resources. They could hire 500 top-notch staff tomorrow, pay them
> out of petty cash, and completely rewrite IE with security as the
> overarching design goal -- if they wanted to. They could have done
> so years ago -- if they wanted to.
Microsoft has put a lot into securing its code, and is very good at
doing so.
My main argument here is about the policy of handling vulnerabilities
for 6 months without patching (such as this one apparently was) and the
policy of waiting a whole month before patching an in-the-wild 0day exploit.
Microsoft is the main proponent of responsible disclosure, and has shown
it is a responsible vendor. Also, patching vulnerabilities is far from
easy, and Microsoft has done a tremendous job at getting it done. I
simply call on it to stay responsible and amend its faulty and dangerous
policies. A whole month as the default response to patching a 0day? Really?
With their practical monopoly, and the resulting monoculture, perhaps
their policies ought to be examined for regulation as critical
infrastructure, if they can't bring themselves to be more responsible on
their own.
This is the first time in a long while that I find it fit to criticize
Microsoft on security. Perhaps they have grown complacent with the PR
nightmare of full disclosure a decade behind them, with most
vulnerabilities now "sold" to them directly or indirectly by the
security industry.
Gadi.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
