Anyone see a game changer here?

Gadi Evron ge at
Sat Jan 23 06:32:20 UTC 2010

On 1/23/10 6:08 AM, Steven Bellovin wrote:
> I think that that's wishful thinking.  IE has fewer security problems because Microsoft has put a tremendous amount of effort -- and often fought its own developers -- in a disciplined software development environment with careful, structured security reviews by people who have the power to say "no, you can't ship this".  They've also put a lot of effort into building and using security tools.  (For earlier comments by me on this subject, see
> I'm not a fan of Windows.  I think it's ugly and bloated, and I don't like it as a user environment.  I'm typing this on a Mac (which I like for its JFW properties, not its security; I do not think it is more secure than Vista or Windows 7); I'm also a heavy user -- and a developer -- of NetBSD.  If the world suddenly switched its OS of choice away from Windows, I wouldn't weep.  But I also would and do hope that the other platforms, be they open or closed source, would learn from what Bill Gates has done well.

Microsoft has put a lot into securing its code, and is very good at 
doing so.

My main argument here is about the policy of handling vulnerabilities 
for 6 months without patching (such as this one apparently was) and the 
policy of waiting a whole month before patching an in-the-wild 0day exploit.

Microsoft is the main proponent of responsible disclosure, and has shown 
it is a responsible vendor. Also, patching vulnerabilities is far from 
easy, and Microsoft has done a tremendous job at getting it done. I 
simply call on it to stay responsible and amend its faulty and dangerous 
policies. A whole month as the default response to patching a 0day? Really?

With their practical monopoly, and the resulting monoculture, perhaps 
their policies ought to be examined for regulation as critical 
infrastructure, if they can't bring themselves to be more responsible on 
their own.

This is the first time in a long while that I find it fit to criticize 
Microsoft on security. Perhaps they have grown complacent with the PR 
nightmare of full disclosure a decade behind them, with most 
vulnerabilities now "sold" to them directly or indirectly by the 
security industry.


Gadi Evron,
ge at


More information about the NANOG mailing list