On Sat, 23 Jan 2010, Gadi Evron wrote:
> On 1/23/10 2:02 AM, Rich Kulawiec wrote: >> Meanwhile, Microsoft has essentially unlimited personnel and financial >> resources. They could hire 500 top-notch staff tomorrow, pay them >> out of petty cash, and completely rewrite IE with security as the >> overarching design goal -- if they wanted to. They could have done >> so years ago -- if they wanted to. > > Microsoft has put a lot into securing its code, and is very good at > doing so. Not really. I've seen a number of cases where they fixed the known exploit, without patching the underlying bug. > My main argument here is about the policy of handling vulnerabilities > for 6 months without patching (such as this one apparently was) and the > policy of waiting a whole month before patching an in-the-wild 0day exploit. I once advised them of a vulnerability (upnp) via a backchannel. They didn't fix it until it became public, 2 years later. We had a gentleman's agreement that I wouldn't release it, which I honored. There was no discussion of me using it, though. > Microsoft is the main proponent of responsible disclosure, and has shown > it is a responsible vendor. Also, patching vulnerabilities is far from > easy, and Microsoft has done a tremendous job at getting it done. I > simply call on it to stay responsible and amend its faulty and dangerous > policies. A whole month as the default response to patching a 0day? Really? > > With their practical monopoly, and the resulting monoculture, perhaps > their policies ought to be examined for regulation as critical > infrastructure, if they can't bring themselves to be more responsible on > their own. Civil Liability. When vendors are held accountable for financial losses caused by unpatched bugs, there will be much fewer cases. > This is the first time in a long while that I find it fit to criticize > Microsoft on security. Perhaps they have grown complacent with the PR > nightmare of full disclosure a decade behind them, with most > vulnerabilities now "sold" to them directly or indirectly by the > security industry. Same old. I've seen this with vendors since the 70s. It's much cheaper to keep a bug secret, than to patch it before it becomes public. A great example is the finger bug. Discovered in the 70s, still working in the mid 90s, because "only a few people know about it". _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
