funsec mailing list archives
Re: fog of cyberwar
From: phester <funsec () armorfirewall com>
Date: Sat, 23 Jan 2010 11:22:00 -0500 (EST)
On Sat, 23 Jan 2010, Gadi Evron wrote:
On 1/23/10 2:02 AM, Rich Kulawiec wrote:Meanwhile, Microsoft has essentially unlimited personnel and financial resources. They could hire 500 top-notch staff tomorrow, pay them out of petty cash, and completely rewrite IE with security as the overarching design goal -- if they wanted to. They could have done so years ago -- if they wanted to.Microsoft has put a lot into securing its code, and is very good at doing so.
Not really. I've seen a number of cases where they fixed the known exploit, without patching the underlying bug.
My main argument here is about the policy of handling vulnerabilities for 6 months without patching (such as this one apparently was) and the policy of waiting a whole month before patching an in-the-wild 0day exploit.
I once advised them of a vulnerability (upnp) via a backchannel. They didn't fix it until it became public, 2 years later. We had a gentleman's agreement that I wouldn't release it, which I honored. There was no discussion of me using it, though.
Microsoft is the main proponent of responsible disclosure, and has shown it is a responsible vendor. Also, patching vulnerabilities is far from easy, and Microsoft has done a tremendous job at getting it done. I simply call on it to stay responsible and amend its faulty and dangerous policies. A whole month as the default response to patching a 0day? Really? With their practical monopoly, and the resulting monoculture, perhaps their policies ought to be examined for regulation as critical infrastructure, if they can't bring themselves to be more responsible on their own.
Civil Liability. When vendors are held accountable for financial losses caused by unpatched bugs, there will be much fewer cases.
This is the first time in a long while that I find it fit to criticize Microsoft on security. Perhaps they have grown complacent with the PR nightmare of full disclosure a decade behind them, with most vulnerabilities now "sold" to them directly or indirectly by the security industry.
Same old. I've seen this with vendors since the 70s. It's much cheaper to keep a bug secret, than to patch it before it becomes public. A great example is the finger bug. Discovered in the 70s, still working in the mid 90s, because "only a few people know about it". _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: fog of cyberwar, (continued)
- Re: fog of cyberwar steve pirk [egrep] (Jan 22)
- Re: fog of cyberwar Vaughn, Randal L. (Jan 22)
- Re: fog of cyberwar Dan Kaminsky (Jan 22)
- Re: fog of cyberwar Gadi Evron (Jan 22)
- Re: fog of cyberwar Dan Kaminsky (Jan 22)
- Re: fog of cyberwar Gadi Evron (Jan 22)
- Re: fog of cyberwar Joel Helgeson (Jan 23)
- Re: fog of cyberwar Vaughn, Randal L. (Jan 22)
- Re: fog of cyberwar Rich Kulawiec (Jan 22)
- Re: fog of cyberwar Gadi Evron (Jan 22)
- Re: fog of cyberwar phester (Jan 23)
- Re: fog of cyberwar Rich Kulawiec (Jan 23)
- Re: fog of cyberwar Gadi Evron (Jan 23)
- Re: fog of cyberwar Jason Lewis (Jan 24)
- Re: fog of cyberwar Dan White (Jan 24)
- Re: fog of cyberwar phester (Jan 24)
- Re: fog of cyberwar steve pirk [egrep] (Jan 24)
- Re: fog of cyberwar Rich Kulawiec (Feb 01)
- Re: fog of cyberwar Valdis . Kletnieks (Jan 23)
- Re: fog of cyberwar Rich Kulawiec (Jan 24)