Re: fog of cyberwar

[Gadi Evron <ge () linuxbox org>]

On 1/23/10 2:02 AM, Rich Kulawiec wrote:
> Meanwhile, Microsoft has essentially unlimited personnel and financial
> resources.  They could hire 500 top-notch staff tomorrow, pay them
> out of petty cash, and completely rewrite IE with security as the
> overarching design goal -- if they wanted to.  They could have done
> so years ago -- if they wanted to.

Microsoft has put a lot into securing its code, and is very good at 
doing so.

My main argument here is about the policy of handling vulnerabilities 
for 6 months without patching (such as this one apparently was) and the 
policy of waiting a whole month before patching an in-the-wild 0day exploit.

Microsoft is the main proponent of responsible disclosure, and has shown 
it is a responsible vendor. Also, patching vulnerabilities is far from 
easy, and Microsoft has done a tremendous job at getting it done. I 
simply call on it to stay responsible and amend its faulty and dangerous 
policies. A whole month as the default response to patching a 0day? Really?

With their practical monopoly, and the resulting monoculture, perhaps 
their policies ought to be examined for regulation as critical 
infrastructure, if they can't bring themselves to be more responsible on 
their own.

This is the first time in a long while that I find it fit to criticize 
Microsoft on security. Perhaps they have grown complacent with the PR 
nightmare of full disclosure a decade behind them, with most 
vulnerabilities now "sold" to them directly or indirectly by the 
security industry.

        Gadi.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.