funsec mailing list archives
Re: fog of cyberwar
From: Gadi Evron <ge () linuxbox org>
Date: Sat, 23 Jan 2010 08:34:16 +0200
On 1/23/10 2:02 AM, Rich Kulawiec wrote:
Meanwhile, Microsoft has essentially unlimited personnel and financial resources. They could hire 500 top-notch staff tomorrow, pay them out of petty cash, and completely rewrite IE with security as the overarching design goal -- if they wanted to. They could have done so years ago -- if they wanted to.
Microsoft has put a lot into securing its code, and is very good at doing so. My main argument here is about the policy of handling vulnerabilities for 6 months without patching (such as this one apparently was) and the policy of waiting a whole month before patching an in-the-wild 0day exploit. Microsoft is the main proponent of responsible disclosure, and has shown it is a responsible vendor. Also, patching vulnerabilities is far from easy, and Microsoft has done a tremendous job at getting it done. I simply call on it to stay responsible and amend its faulty and dangerous policies. A whole month as the default response to patching a 0day? Really? With their practical monopoly, and the resulting monoculture, perhaps their policies ought to be examined for regulation as critical infrastructure, if they can't bring themselves to be more responsible on their own. This is the first time in a long while that I find it fit to criticize Microsoft on security. Perhaps they have grown complacent with the PR nightmare of full disclosure a decade behind them, with most vulnerabilities now "sold" to them directly or indirectly by the security industry. Gadi. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: fog of cyberwar, (continued)
- Re: fog of cyberwar Dan Kaminsky (Jan 22)
- Re: fog of cyberwar steve pirk [egrep] (Jan 22)
- Re: fog of cyberwar Vaughn, Randal L. (Jan 22)
- Re: fog of cyberwar Dan Kaminsky (Jan 22)
- Re: fog of cyberwar Gadi Evron (Jan 22)
- Re: fog of cyberwar Dan Kaminsky (Jan 22)
- Re: fog of cyberwar Gadi Evron (Jan 22)
- Re: fog of cyberwar Joel Helgeson (Jan 23)
- Re: fog of cyberwar Vaughn, Randal L. (Jan 22)
- Re: fog of cyberwar Rich Kulawiec (Jan 22)
- Re: fog of cyberwar Gadi Evron (Jan 22)
- Re: fog of cyberwar phester (Jan 23)
- Re: fog of cyberwar Rich Kulawiec (Jan 23)
- Re: fog of cyberwar Gadi Evron (Jan 23)
- Re: fog of cyberwar Jason Lewis (Jan 24)
- Re: fog of cyberwar Dan White (Jan 24)
- Re: fog of cyberwar phester (Jan 24)
- Re: fog of cyberwar steve pirk [egrep] (Jan 24)
- Re: fog of cyberwar Rich Kulawiec (Feb 01)
- Re: fog of cyberwar Valdis . Kletnieks (Jan 23)
- Re: fog of cyberwar Rich Kulawiec (Jan 24)